Skip to content

Commit

Permalink
Merge pull request #420 from iriusrisk/release/1.30.0
Browse files Browse the repository at this point in the history 
release/1.30.0 to main
  • Loading branch information
@dantolin-iriusrisk
dantolin-iriusrisk authored Dec 17, 2024
2 parents 1efeb8f + 748e794 commit ce8242c
Show file tree
Hide file tree
Showing 21 changed files with 145 additions and 39 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/semgrep.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
- uses: actions/checkout@v3

- id: semgrep
run: semgrep ci --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks -q --exclude="tests" --exclude="*/tests" --skip-unknown-extensions --suppress-errors
run: semgrep ci --metrics=off --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks --config .semgrep/rules/detected-aws-account-id-in-arn.yaml --config r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id --config r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key -q --skip-unknown-extensions --suppress-errors
continue-on-error: true

- name: Get branch name (pull request)
Expand Down
12 changes: 9 additions & 3 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,24 @@
repos:
- repo: https://github.com/returntocorp/semgrep
rev: 'v1.14.0'
rev: 'v1.89.0'
hooks:
- id: semgrep
exclude: "(.)*/tests|tests"
args: [
'--metrics=off',
'--config',
'p/owasp-top-ten',
'--config',
'p/cwe-top-25',
'--config',
'p/gitleaks',
'--config',
'r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id',
'--config',
'.semgrep/rules/detected-aws-account-id-in-arn.yaml',
'--config',
'r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key',
'--error',
'--skip-unknown-extensions',
'--exclude-rule=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text'
]
stages: [commit]
stages: [pre-commit]
28 changes: 28 additions & 0 deletions .semgrep/rules/detected-aws-account-id-in-arn.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
rules:
- id: detected-aws-account-id-in-arn
patterns:
- pattern-regex: ((?i:aws|arn)[^\d]+\d{12}[^\d]+)
- pattern-not-regex: 12345|00000
languages:
- regex
message: AWS Account ID detected in arn.
severity: ERROR
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
category: security
technology:
- secrets
- aws
confidence: LOW
owasp:
- A07:2021 - Identification and Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
5 changes: 3 additions & 2 deletions deployment/Dockerfile.application
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@ WORKDIR /usr/src/app

RUN apk update && \
apk upgrade && \
apk --no-cache add geos geos-dev git graphviz-dev lapack libmagic libstdc++ && \
apk --no-cache add --virtual .builddeps g++ gcc gfortran lapack-dev musl-dev py3-pybind11-dev re2 re2-dev
apk add --repository=https://dl-cdn.alpinelinux.org/alpine/v3.20/main --repository=https://dl-cdn.alpinelinux.org/alpine/v3.20/community \
g++~=13.2 gcc~=13.2 gfortran~=13.2 libgcc~=13.2 libstdc++~=13.2 && \
apk --no-cache add geos geos-dev git graphviz-dev lapack lapack-dev libmagic musl-dev py3-pybind11-dev re2 re2-dev

COPY . .

Expand Down
2 changes: 1 addition & 1 deletion docs/startleft-processors/iac/tf/Terraform-Quickstart.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ data "aws_ami" "ubuntu" {
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
owners = ["123456789012"] # Canonical
}
resource "aws_instance" "web" {
Expand Down
12 changes: 6 additions & 6 deletions examples/tfplan/aws-ingesting-click-logs-using-terraform.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -927,7 +927,7 @@
"schema_version": 0,
"values": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2319,7 +2319,7 @@
"before": null,
"after": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2379,7 +2379,7 @@
"before": null,
"after": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2571,9 +2571,9 @@
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"account_id": "154977180039",
"arn": "arn:aws:iam::656177851052:user/someuser",
"id": "194477180039",
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789015:user/someuser",
"id": "123456789014",
"user_id": "ANYUSERID"
},
"sensitive_values": {}}, {
Expand Down
21 changes: 21 additions & 0 deletions otm/otm/entity/component.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
from otm.otm.entity.parent_type import ParentType
from otm.otm.entity.representation import RepresentationElement
from otm.otm.entity.threat import ThreatInstance
from sl_util.sl_util.str_utils import truncate


MAX_NAME_SIZE = 255
MAX_TAG_SIZE = 255


class Component:
Expand All @@ -19,6 +24,22 @@ def __init__(self, component_id, name, component_type=None, parent=None, parent_
self.threats: [ThreatInstance] = threats or []
self.representations: List[RepresentationElement] = representations

@property
def name(self):
return self._name

@name.setter
def name(self, value):
self._name = truncate(value, MAX_NAME_SIZE)

@property
def tags (self):
return self._tags

@tags.setter
def tags(self, value):
self._tags = [tag for tag in value if tag and len(tag) <= MAX_TAG_SIZE] if value else None

def add_threat(self, threat: ThreatInstance):
self.threats.append(threat)

Expand Down
23 changes: 23 additions & 0 deletions otm/otm/entity/dataflow.py
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
from sl_util.sl_util.str_utils import truncate


MAX_NAME_SIZE = 255
MAX_TAG_SIZE = 255


class Dataflow:
def __init__(self, dataflow_id, name, source_node, destination_node, bidirectional: bool = None,
source=None, attributes=None, tags=None):
Expand All @@ -10,6 +17,22 @@ def __init__(self, dataflow_id, name, source_node, destination_node, bidirection
self.attributes = attributes
self.tags = tags

@property
def name(self):
return self._name

@name.setter
def name(self, value):
self._name = truncate(value, MAX_NAME_SIZE)

@property
def tags (self):
return self._tags

@tags.setter
def tags(self, value):
self._tags = [tag for tag in value if tag and len(tag) <= MAX_TAG_SIZE] if value else None

def json(self):
json = {
"id": self.id,
Expand Down
12 changes: 12 additions & 0 deletions otm/otm/entity/trustzone.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
from otm.otm.entity.parent_type import ParentType
from sl_util.sl_util.str_utils import truncate


MAX_NAME_SIZE = 255


class Trustzone:
Expand All @@ -14,6 +18,14 @@ def __init__(self, trustzone_id, name, parent=None, parent_type: ParentType = No
self.trustrating = trustrating
self.representations = representations

@property
def name(self):
return self._name

@name.setter
def name(self, value):
self._name = truncate(value, MAX_NAME_SIZE)

def __eq__(self, other):
return type(other) == Trustzone and self.id == other.id

Expand Down
2 changes: 1 addition & 1 deletion setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
'python-hcl2==4.3.2',
'requests==2.32.3',
'fastapi>=0.115.2,<0.116.0',
'python-multipart==0.0.7',
'python-multipart==0.0.18',
'click==8.1.7',
'uvicorn==0.23.2',
'shapely==2.0.1',
Expand Down
3 changes: 3 additions & 0 deletions sl_util/sl_util/str_utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,6 @@ def to_number(input, default_value: int = 0) -> int:
return w2n.word_to_num(input)
except ValueError:
return default_value

def truncate(s: str, max_length: int) -> str:
return s[:max_length] if s else s
2 changes: 1 addition & 1 deletion slp_cft/tests/resources/otm/otm_expected_result.otm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -368,7 +368,7 @@
]
},
{
"id": "c3b000fd-6108-403c-adee-282422171840",
"id": "c3b000fd-6108-403c-adee-123456789012",
"name": "VPCmonitoringSecurityGroup -> VPCmonitoring",
"source": "b61d6911-338d-46a8-9f39-8dcd24abfe91.customvpc",
"destination": "b61d6911-338d-46a8-9f39-8dcd24abfe91.customvpc.privatesubnet1.vpcmonitoring",
Expand Down
2 changes: 1 addition & 1 deletion slp_drawio/tests/unit/load/test_diagram_dataflow_loader.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ def test_load(self, get_dataflow_tags_wrapper):
assert diagram_dataflows[1].otm.name == 'pt2kyrPXSm7H56EBWWGj-8-dataflow'
assert diagram_dataflows[1].otm.source_node == 'pt2kyrPXSm7H56EBWWGj-7'
assert diagram_dataflows[1].otm.destination_node == 'pt2kyrPXSm7H56EBWWGj-7'
assert len(diagram_dataflows[1].otm.tags) == 0
assert not diagram_dataflows[1].otm.tags

# AND the method get_dataflow_tags has been called once for each dataflow
assert get_dataflow_tags_wrapper.call_count == len(diagram_dataflows)
2 changes: 1 addition & 1 deletion slp_tf/tests/resources/tf/calculate_modules/terraform_extra_modules_sample.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ module "db" {

data "aws_ami" "iriusrisk_ha" {
most_recent = true
owners = ["154977180039"]
owners = ["123456789012"]

filter {
name = "name"
Expand Down
16 changes: 11 additions & 5 deletions slp_tf/tests/resources/tf/mapping_functions/aws_singleton_components_unix_line_breaks.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,20 +40,22 @@ resource "aws_acm_certificate" "acm_certificate" {
resource "aws_kms_key" "kms_key" {
description = "KMS key 1"
deletion_window_in_days = 10
enable_key_rotation = true
}

resource "aws_cloudwatch_log_group" "cloudwatch_log_group_1" {
name = "Yada"

retention_in_days = 14
tags = {
Environment = "production"
Application = "serviceA"
}

}

resource "aws_cloudwatch_log_group" "cloudwatch_log_group_2" {
name = "Yada"

retention_in_days = 14
tags = {
Environment = "production"
Application = "serviceA"
Expand Down Expand Up @@ -140,7 +142,7 @@ resource "aws_mq_broker" "mq_broker" {

user {
username = "ExampleUser"
password = "MindTheGap"
password = "******"
}
}

Expand Down Expand Up @@ -190,6 +192,7 @@ resource "aws_config_configuration_recorder" "config_configuration_recorder" {

resource "aws_ecr_repository" "ecr_repository" {
name = "bar"
image_tag_mutability = "IMMUTABLE"
}

resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
Expand Down Expand Up @@ -293,9 +296,9 @@ resource "aws_sns_topic" "sns_topic" {
}

resource "aws_sns_topic_subscription" "sns_topic_subscription" {
topic_arn = "arn:aws:sns:us-west-2:432981146916:user-updates-topic"
topic_arn = "arn:aws:sns:us-west-2:123456789012:user-updates-topic"
protocol = "sqs"
endpoint = "arn:aws:sqs:us-west-2:432981146916:terraform-queue-too"
endpoint = "arn:aws:sqs:us-west-2:123456789012:terraform-queue-too"
}

resource "aws_waf_ipset" "waf_ipset" {
Expand Down Expand Up @@ -392,6 +395,9 @@ resource "aws_kinesis_analytics_application" "kinesis_analytics_application_2" {
resource "aws_kinesis_stream" "kinesis_stream" {
name = "example-stream"
shard_count = 1
encryption_type = "KMS"
kms_key_id = "example-kms-key-id"

}

resource "aws_kinesis_stream_consumer" "kinesis_stream_consumer" {
Expand Down
2 changes: 1 addition & 1 deletion slp_tf/tests/resources/tf/terraform_main_referenced_variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ resource "aws_security_group" "webserver" {

data "aws_ami" "iriusrisk_ha" {
most_recent = true
owners = ["154977180039"]
owners = ["123456789012"]

filter {
name = "name"
Expand Down
4 changes: 2 additions & 2 deletions slp_tf/tests/resources/tf/terraform_variables_files_referenced_variables.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ iriusrisk_version = "4.5.1"
startleft_version = "startleft"
type = "internal"
bastion_host_cidrs = ["52.30.97.44/32"]
certificate_arn = "arn:aws:iam::154977180039:server-certificate/wildcard-iriusrisk-com-until-25-oct-2022"
iam_instance_profile_arn = "arn:aws:iam::154977180039:instance-profile/myManagedInstanceRoleforSSM"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/example-certificate"
iam_instance_profile_arn = "arn:aws:iam::123456789012:instance-profile/myManagedInstanceRoleforSSM"

## vpc
vpc_cidr = "10.0.0.0/16"
Expand Down
12 changes: 6 additions & 6 deletions slp_tfplan/tests/resources/tfplan/official-tfplan.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -927,7 +927,7 @@
"schema_version": 0,
"values": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2319,7 +2319,7 @@
"before": null,
"after": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2379,7 +2379,7 @@
"before": null,
"after": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2571,9 +2571,9 @@
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"account_id": "154977180039",
"arn": "arn:aws:iam::656177851052:user/someuser",
"id": "194477180039",
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789012:user/someuser",
"id": "123456789012",
"user_id": "ANYUSERID"
},
"sensitive_values": {}}, {
Expand Down
4 changes: 2 additions & 2 deletions slp_tfplan/tests/unit/map/test_tfplan_mapper.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,8 @@ def test_mapping_by_type(self):

@mark.parametrize('regex,resource_type', [
param(r'^aws_\w*$','aws_vpc', id='aws_vpc'),
param(r'^a+$','a'*256, id='long_string'),
param(r'^(a+)+$','a'*256, id='redos_attack'),
param(r'^a+$','a'*255, id='long_string'),
param(r'^(a+)+$','a'*255, id='redos_attack'),
])
def test_mapping_by_regex(self,regex,resource_type:str):
# GIVEN a resource of some TF type
Expand Down
Loading

0 comments on commit ce8242c

Please sign in to comment.