diff --git a/glitch/analysis/security.py b/glitch/analysis/security.py index 89ec2d0..b171724 100644 --- a/glitch/analysis/security.py +++ b/glitch/analysis/security.py @@ -159,42 +159,42 @@ def check_atomicunit(self, au: AtomicUnit, file: str) -> List[Error]: def check_dependency(self, d: Dependency, file: str) -> List[Error]: return [] - def __check_keyvalue(self, c: KeyValue, name: str, - value: str, has_variable: bool, file: str, au_type = None, parent_name: str = ""): + def __check_keyvalue(self, c: KeyValue, file: str, au_type = None, parent_name: str = ""): errors = [] - name = name.strip().lower() - if (isinstance(value, type(None))): + c.name = c.name.strip().lower() + + if (isinstance(c.value, type(None))): for child in c.keyvalues: - errors += self.check_element(child, file, au_type, name) + errors += self.check_element(child, file, au_type, c.name) return errors - elif (isinstance(value, str)): - value = value.strip().lower() + elif (isinstance(c.value, str)): + c.value = c.value.strip().lower() else: - errors += self.check_element(value, file) - value = repr(value) + errors += self.check_element(c.value, file) + c.value = repr(c.value) - if self.__is_http_url(value): + if self.__is_http_url(c.value): errors.append(Error('sec_https', c, file, repr(c))) - if re.match(r'(?:https?://|^)0.0.0.0', value) or\ - (name == "ip" and value in {"*", '::'}) or\ - (name in SecurityVisitor.__IP_BIND_COMMANDS and - (value == True or value in {'*', '::'})): + if re.match(r'(?:https?://|^)0.0.0.0', c.value) or\ + (c.name == "ip" and c.value in {"*", '::'}) or\ + (c.name in SecurityVisitor.__IP_BIND_COMMANDS and + (c.value == True or c.value in {'*', '::'})): errors.append(Error('sec_invalid_bind', c, file, repr(c))) - if self.__is_weak_crypt(value, name): + if self.__is_weak_crypt(c.value, c.name): errors.append(Error('sec_weak_crypt', c, file, repr(c))) for check in SecurityVisitor.__CHECKSUM: - if (check in name and (value == 'no' or value == 'false')): + if (check in c.name and (c.value == 'no' or c.value == 'false')): errors.append(Error('sec_no_int_check', c, file, repr(c))) break for item in (SecurityVisitor.__ROLES + SecurityVisitor.__USERS): - if (re.match(r'[_A-Za-z0-9$\/\.\[\]-]*{text}\b'.format(text=item), name)): - if (len(value) > 0 and not has_variable): + if (re.match(r'[_A-Za-z0-9$\/\.\[\]-]*{text}\b'.format(text=item), c.name)): + if (len(c.value) > 0 and not c.has_variable): for admin in SecurityVisitor.__ADMIN: - if admin in value: + if admin in c.value: errors.append(Error('sec_def_admin', c, file, repr(c))) break @@ -234,8 +234,8 @@ def get_module_var(c, name: str): # only for terraform var = None - if (has_variable and self.tech == Tech.terraform): - value = re.sub(r'^\${(.*)}$', r'\1', value) + if (c.has_variable and self.tech == Tech.terraform): + value = re.sub(r'^\${(.*)}$', r'\1', c.value) if value.startswith("var."): # input variable (atomic unit with type variable) au = get_au(self.code, value.strip("var."), "variable") if au != None: @@ -247,12 +247,12 @@ def get_module_var(c, name: str): for item in (SecurityVisitor.__PASSWORDS + SecurityVisitor.__SECRETS + SecurityVisitor.__USERS): - if (re.match(r'[_A-Za-z0-9$\/\.\[\]-]*{text}\b'.format(text=item), name) - and name.split("[")[0] not in SecurityVisitor.__SECRETS_WHITELIST + SecurityVisitor.__PROFILE): - if (not has_variable or var): + if (re.match(r'[_A-Za-z0-9$\/\.\[\]-]*{text}\b'.format(text=item), c.name) + and c.name.split("[")[0] not in SecurityVisitor.__SECRETS_WHITELIST + SecurityVisitor.__PROFILE): + if (not c.has_variable or var): - if not has_variable: - if (item in SecurityVisitor.__PASSWORDS and len(value) == 0): + if not c.has_variable: + if (item in SecurityVisitor.__PASSWORDS and len(c.value) == 0): errors.append(Error('sec_empty_pass', c, file, repr(c))) break if var is not None: @@ -269,40 +269,40 @@ def get_module_var(c, name: str): break for item in SecurityVisitor.__SSH_DIR: - if item.lower() in name: - if len(value) > 0 and '/id_rsa' in value: + if item.lower() in c.name: + if len(c.value) > 0 and '/id_rsa' in c.value: errors.append(Error('sec_hard_secr', c, file, repr(c))) for item in SecurityVisitor.__MISC_SECRETS: - if (re.match(r'([_A-Za-z0-9$-]*[-_]{text}([-_].*)?$)|(^{text}([-_].*)?$)'.format(text=item), name) - and len(value) > 0 and not has_variable): + if (re.match(r'([_A-Za-z0-9$-]*[-_]{text}([-_].*)?$)|(^{text}([-_].*)?$)'.format(text=item), c.name) + and len(c.value) > 0 and not c.has_variable): errors.append(Error('sec_hard_secr', c, file, repr(c))) for item in SecurityVisitor.__SENSITIVE_DATA: - if item.lower() in name: + if item.lower() in c.name: for item_value in (SecurityVisitor.__SECRET_ASSIGN): - if item_value in value.lower(): + if item_value in c.value.lower(): errors.append(Error('sec_hard_secr', c, file, repr(c))) if ("password" in item_value): errors.append(Error('sec_hard_pass', c, file, repr(c))) - if (au_type in SecurityVisitor.__GITHUB_ACTIONS and name == "plaintext_value"): + if (au_type in SecurityVisitor.__GITHUB_ACTIONS and c.name == "plaintext_value"): errors.append(Error('sec_hard_secr', c, file, repr(c))) - if (has_variable and var): - has_variable = False - value = var.value + if (c.has_variable and var is not None): + c.has_variable = var.has_variable + c.value = var.value for checker in self.checkers: - errors += checker.check(c, file, self.code, value, au_type, parent_name) + errors += checker.check(c, file, self.code, au_type, parent_name) return errors def check_attribute(self, a: Attribute, file: str, au_type = None, parent_name: str = "") -> list[Error]: - return self.__check_keyvalue(a, a.name, a.value, a.has_variable, file, au_type, parent_name) + return self.__check_keyvalue(a, file, au_type, parent_name) def check_variable(self, v: Variable, file: str) -> list[Error]: - return self.__check_keyvalue(v, v.name, v.value, v.has_variable, file) + return self.__check_keyvalue(v, file) def check_comment(self, c: Comment, file: str) -> List[Error]: errors = [] diff --git a/glitch/analysis/terraform/access_control.py b/glitch/analysis/terraform/access_control.py index c0dc49e..d7d2da2 100644 --- a/glitch/analysis/terraform/access_control.py +++ b/glitch/analysis/terraform/access_control.py @@ -6,7 +6,7 @@ class TerraformAccessControl(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.aws_api_gateway_method"): @@ -60,26 +60,26 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, pattern = re.compile(rf"{expr}") allow_expr = "\"effect\":" + "\s*" + "\"allow\"" allow_pattern = re.compile(rf"{allow_expr}") - if re.search(pattern, elem_value) and re.search(allow_pattern, elem_value): + if re.search(pattern, element.value) and re.search(allow_pattern, element.value): errors.append(Error('sec_access_control', element, file, repr(element))) break if (re.search(r"actions\[\d+\]", element.name) and parent_name == "permissions" - and au_type == "resource.azurerm_role_definition" and elem_value == "*"): + and au_type == "resource.azurerm_role_definition" and element.value == "*"): errors.append(Error('sec_access_control', element, file, repr(element))) elif (((re.search(r"members\[\d+\]", element.name) and au_type == "resource.google_storage_bucket_iam_binding") or (element.name == "member" and au_type == "resource.google_storage_bucket_iam_member")) - and (elem_value == "allusers" or elem_value == "allauthenticatedusers")): + and (element.value == "allusers" or element.value == "allauthenticatedusers")): errors.append(Error('sec_access_control', element, file, repr(element))) elif (element.name == "email" and parent_name == "service_account" and au_type == "resource.google_compute_instance" - and re.search(r".-compute@developer.gserviceaccount.com", elem_value)): + and re.search(r".-compute@developer.gserviceaccount.com", element.value)): errors.append(Error('sec_access_control', element, file, repr(element))) for config in SecurityVisitor._ACCESS_CONTROL_CONFIGS: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and not element.has_variable - and elem_value.lower() not in config['values'] + and element.value.lower() not in config['values'] and config['values'] != [""]): errors.append(Error('sec_access_control', element, file, repr(element))) break diff --git a/glitch/analysis/terraform/attached_resource.py b/glitch/analysis/terraform/attached_resource.py index 1fb525f..67ea636 100644 --- a/glitch/analysis/terraform/attached_resource.py +++ b/glitch/analysis/terraform/attached_resource.py @@ -1,11 +1,11 @@ from glitch.analysis.terraform.smell_checker import TerraformSmellChecker from glitch.analysis.rules import Error from glitch.analysis.security import SecurityVisitor -from glitch.repr.inter import AtomicUnit, Attribute, Variable +from glitch.repr.inter import AtomicUnit class TerraformAttachedResource(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): def check_attached_resource(attributes, resource_types): diff --git a/glitch/analysis/terraform/authentication.py b/glitch/analysis/terraform/authentication.py index 87d7ca1..fd70a8c 100644 --- a/glitch/analysis/terraform/authentication.py +++ b/glitch/analysis/terraform/authentication.py @@ -6,7 +6,7 @@ class TerraformAuthentication(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.google_sql_database_instance"): @@ -32,13 +32,13 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, if au_type in config['au_type']: expr = config['keyword'].lower() + "\s*" + config['value'].lower() pattern = re.compile(rf"{expr}") - if not re.search(pattern, elem_value): + if not re.search(pattern, element.value): errors.append(Error('sec_authentication', element, file, repr(element))) for config in SecurityVisitor._AUTHENTICATION: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and not element.has_variable - and elem_value.lower() not in config['values'] + and element.value.lower() not in config['values'] and config['values'] != [""]): errors.append(Error('sec_authentication', element, file, repr(element))) break diff --git a/glitch/analysis/terraform/dns_policy.py b/glitch/analysis/terraform/dns_policy.py index 1fb5039..7e1fb39 100644 --- a/glitch/analysis/terraform/dns_policy.py +++ b/glitch/analysis/terraform/dns_policy.py @@ -5,7 +5,7 @@ class TerraformDnsWithoutDnssec(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): for config in SecurityVisitor._DNSSEC_CONFIGS: @@ -18,7 +18,7 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._DNSSEC_CONFIGS: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and not element.has_variable - and elem_value.lower() not in config['values'] + and element.value.lower() not in config['values'] and config['values'] != [""]): return [Error('sec_dnssec', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/firewall_misconfig.py b/glitch/analysis/terraform/firewall_misconfig.py index fd79b7b..fdc57d2 100644 --- a/glitch/analysis/terraform/firewall_misconfig.py +++ b/glitch/analysis/terraform/firewall_misconfig.py @@ -5,7 +5,7 @@ class TerraformFirewallMisconfig(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): for config in SecurityVisitor._FIREWALL_CONFIGS: @@ -18,9 +18,9 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._FIREWALL_CONFIGS: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""]): - if ("any_not_empty" in config['values'] and elem_value.lower() == ""): + if ("any_not_empty" in config['values'] and element.value.lower() == ""): return [Error('sec_firewall_misconfig', element, file, repr(element))] elif ("any_not_empty" not in config['values'] and not element.has_variable and - elem_value.lower() not in config['values']): + element.value.lower() not in config['values']): return [Error('sec_firewall_misconfig', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/http_without_tls.py b/glitch/analysis/terraform/http_without_tls.py index 4feffb0..7a1de35 100644 --- a/glitch/analysis/terraform/http_without_tls.py +++ b/glitch/analysis/terraform/http_without_tls.py @@ -5,7 +5,7 @@ class TerraformHttpWithoutTls(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "data.http"): @@ -38,6 +38,6 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._HTTPS_CONFIGS: if (element.name == config["attribute"] and au_type in config["au_type"] and parent_name in config["parents"] and not element.has_variable - and elem_value.lower() not in config["values"]): + and element.value.lower() not in config["values"]): return [Error('sec_https', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/integrity_policy.py b/glitch/analysis/terraform/integrity_policy.py index 309a3da..73d9b19 100644 --- a/glitch/analysis/terraform/integrity_policy.py +++ b/glitch/analysis/terraform/integrity_policy.py @@ -5,7 +5,7 @@ class TerraformIntegrityPolicy(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): for policy in SecurityVisitor._INTEGRITY_POLICY: @@ -17,6 +17,6 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for policy in SecurityVisitor._INTEGRITY_POLICY: if (element.name == policy['attribute'] and au_type in policy['au_type'] and parent_name in policy['parents'] and not element.has_variable - and elem_value.lower() not in policy['values']): + and element.value.lower() not in policy['values']): return[Error('sec_integrity_policy', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/key_management.py b/glitch/analysis/terraform/key_management.py index d3568e6..bf081bd 100644 --- a/glitch/analysis/terraform/key_management.py +++ b/glitch/analysis/terraform/key_management.py @@ -6,7 +6,7 @@ class TerraformKeyManagement(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.azurerm_storage_account"): @@ -27,24 +27,24 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._KEY_MANAGEMENT: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""]): - if ("any_not_empty" in config['values'] and elem_value.lower() == ""): + if ("any_not_empty" in config['values'] and element.value.lower() == ""): errors.append(Error('sec_key_management', element, file, repr(element))) break elif ("any_not_empty" not in config['values'] and not element.has_variable and - elem_value.lower() not in config['values']): + element.value.lower() not in config['values']): errors.append(Error('sec_key_management', element, file, repr(element))) break if (element.name == "rotation_period" and au_type == "resource.google_kms_crypto_key"): expr1 = r'\d+\.\d{0,9}s' expr2 = r'\d+s' - if (re.search(expr1, elem_value) or re.search(expr2, elem_value)): - if (int(elem_value.split("s")[0]) > 7776000): + if (re.search(expr1, element.value) or re.search(expr2, element.value)): + if (int(element.value.split("s")[0]) > 7776000): errors.append(Error('sec_key_management', element, file, repr(element))) else: errors.append(Error('sec_key_management', element, file, repr(element))) elif (element.name == "kms_master_key_id" and ((au_type == "resource.aws_sqs_queue" - and elem_value == "alias/aws/sqs") or (au_type == "resource.aws_sns_queue" - and elem_value == "alias/aws/sns"))): + and element.value == "alias/aws/sqs") or (au_type == "resource.aws_sns_queue" + and element.value == "alias/aws/sns"))): errors.append(Error('sec_key_management', element, file, repr(element))) return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/logging.py b/glitch/analysis/terraform/logging.py index a7c785c..27ac36f 100644 --- a/glitch/analysis/terraform/logging.py +++ b/glitch/analysis/terraform/logging.py @@ -63,7 +63,7 @@ def check_azurerm_storage_container(self, element, code, file: str): errors.append(Error('sec_logging', container_access_type, file, repr(container_access_type))) storage_account_name = self.check_required_attribute(element.attributes, [""], "storage_account_name") - if not (storage_account_name and storage_account_name.value.lower().startswith("${azurerm_storage_account.")): + if not (storage_account_name is not None and storage_account_name.value.lower().startswith("${azurerm_storage_account.")): errors.append(Error('sec_logging', element, file, repr(element), f"Suggestion: 'azurerm_storage_container' resource has to be associated to an " + f"'azurerm_storage_account' resource in order to enable logging.") @@ -108,7 +108,7 @@ def check_azurerm_storage_container(self, element, code, file: str): return errors - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.aws_eks_cluster"): @@ -229,8 +229,8 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, elif isinstance(element, Attribute) or isinstance(element, Variable): if (element.name == "cloud_watch_logs_group_arn" and au_type == "resource.aws_cloudtrail"): - if re.match(r"^\${aws_cloudwatch_log_group\..", elem_value): - aws_cloudwatch_log_group_name = elem_value.split('.')[1] + if re.match(r"^\${aws_cloudwatch_log_group\..", element.value): + aws_cloudwatch_log_group_name = element.value.split('.')[1] if not self.get_au(code, file, aws_cloudwatch_log_group_name, "resource.aws_cloudwatch_log_group"): errors.append(Error('sec_logging', element, file, repr(element), f"Suggestion: check for a required resource 'aws_cloudwatch_log_group' " + @@ -242,21 +242,21 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, "resource.azurerm_mssql_server_extended_auditing_policy"]) or (element.name == "days" and parent_name == "retention_policy" and au_type == "resource.azurerm_network_watcher_flow_log")) - and ((not elem_value.isnumeric()) or (elem_value.isnumeric() and int(elem_value) < 90))): + and ((not element.value.isnumeric()) or (element.value.isnumeric() and int(element.value) < 90))): errors.append(Error('sec_logging', element, file, repr(element))) elif (element.name == "days" and parent_name == "retention_policy" and au_type == "resource.azurerm_monitor_log_profile" - and (not elem_value.isnumeric() or (elem_value.isnumeric() and int(elem_value) < 365))): + and (not element.value.isnumeric() or (element.value.isnumeric() and int(element.value) < 365))): errors.append(Error('sec_logging', element, file, repr(element))) for config in SecurityVisitor._LOGGING: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""]): - if ("any_not_empty" in config['values'] and elem_value.lower() == ""): + if ("any_not_empty" in config['values'] and element.value.lower() == ""): errors.append(Error('sec_logging', element, file, repr(element))) break elif ("any_not_empty" not in config['values'] and not element.has_variable and - elem_value.lower() not in config['values']): + element.value.lower() not in config['values']): errors.append(Error('sec_logging', element, file, repr(element))) break return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/missing_encryption.py b/glitch/analysis/terraform/missing_encryption.py index fc55936..65c64f6 100644 --- a/glitch/analysis/terraform/missing_encryption.py +++ b/glitch/analysis/terraform/missing_encryption.py @@ -6,7 +6,7 @@ class TerraformMissingEncryption(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.aws_s3_bucket"): @@ -63,11 +63,11 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._MISSING_ENCRYPTION: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""]): - if ("any_not_empty" in config['values'] and elem_value.lower() == ""): + if ("any_not_empty" in config['values'] and element.value.lower() == ""): errors.append(Error('sec_missing_encryption', element, file, repr(element))) break elif ("any_not_empty" not in config['values'] and not element.has_variable - and elem_value.lower() not in config['values']): + and element.value.lower() not in config['values']): errors.append(Error('sec_missing_encryption', element, file, repr(element))) break @@ -77,10 +77,10 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, if au_type in config['au_type']: expr = config['keyword'].lower() + "\s*" + config['value'].lower() pattern = re.compile(rf"{expr}") - if not re.search(pattern, elem_value) and config['required'] == "yes": + if not re.search(pattern, element.value) and config['required'] == "yes": errors.append(Error('sec_missing_encryption', element, file, repr(element))) break - elif re.search(pattern, elem_value) and config['required'] == "must_not_exist": + elif re.search(pattern, element.value) and config['required'] == "must_not_exist": errors.append(Error('sec_missing_encryption', element, file, repr(element))) break return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/naming.py b/glitch/analysis/terraform/naming.py index 3a312a7..3752640 100644 --- a/glitch/analysis/terraform/naming.py +++ b/glitch/analysis/terraform/naming.py @@ -6,7 +6,7 @@ class TerraformNaming(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.aws_security_group"): @@ -37,17 +37,17 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, elif isinstance(element, Attribute) or isinstance(element, Variable): if (element.name == "name" and au_type in ["resource.azurerm_storage_account"]): pattern = r'^[a-z0-9]{3,24}$' - if not re.match(pattern, elem_value): + if not re.match(pattern, element.value): errors.append(Error('sec_naming', element, file, repr(element))) for config in SecurityVisitor._NAMING: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""]): - if ("any_not_empty" in config['values'] and elem_value.lower() == ""): + if ("any_not_empty" in config['values'] and element.value.lower() == ""): errors.append(Error('sec_naming', element, file, repr(element))) break elif ("any_not_empty" not in config['values'] and not element.has_variable and - elem_value.lower() not in config['values']): + element.value.lower() not in config['values']): errors.append(Error('sec_naming', element, file, repr(element))) break return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/network_policy.py b/glitch/analysis/terraform/network_policy.py index 0d5b7e7..a0b50c2 100644 --- a/glitch/analysis/terraform/network_policy.py +++ b/glitch/analysis/terraform/network_policy.py @@ -6,7 +6,7 @@ class TerraformNetworkSecurityRules(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.azurerm_network_security_rule"): @@ -52,7 +52,7 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, elif isinstance(element, Attribute) or isinstance(element, Variable): for rule in SecurityVisitor._NETWORK_SECURITY_RULES: if (element.name == rule['attribute'] and au_type in rule['au_type'] and parent_name in rule['parents'] - and not element.has_variable and elem_value.lower() not in rule['values'] and rule['values'] != [""]): + and not element.has_variable and element.value.lower() not in rule['values'] and rule['values'] != [""]): return [Error('sec_network_security_rules', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/permission_iam_policies.py b/glitch/analysis/terraform/permission_iam_policies.py index 793bc17..13fa4f6 100644 --- a/glitch/analysis/terraform/permission_iam_policies.py +++ b/glitch/analysis/terraform/permission_iam_policies.py @@ -6,7 +6,7 @@ class TerraformPermissionIAMPolicies(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.aws_iam_user"): @@ -20,16 +20,16 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, elif isinstance(element, Attribute) or isinstance(element, Variable): if ((element.name == "member" or element.name.split('[')[0] == "members") and au_type in SecurityVisitor._GOOGLE_IAM_MEMBER - and (re.search(r".-compute@developer.gserviceaccount.com", elem_value) or - re.search(r".@appspot.gserviceaccount.com", elem_value) or - re.search(r"user:", elem_value))): + and (re.search(r".-compute@developer.gserviceaccount.com", element.value) or + re.search(r".@appspot.gserviceaccount.com", element.value) or + re.search(r"user:", element.value))): errors.append(Error('sec_permission_iam_policies', element, file, repr(element))) for config in SecurityVisitor._PERMISSION_IAM_POLICIES: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""]): - if ((config['logic'] == "equal" and not element.has_variable and elem_value.lower() not in config['values']) - or (config['logic'] == "diff" and elem_value.lower() in config['values'])): + if ((config['logic'] == "equal" and not element.has_variable and element.value.lower() not in config['values']) + or (config['logic'] == "diff" and element.value.lower() in config['values'])): errors.append(Error('sec_permission_iam_policies', element, file, repr(element))) break return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/public_ip.py b/glitch/analysis/terraform/public_ip.py index 9b69fba..9bd0552 100644 --- a/glitch/analysis/terraform/public_ip.py +++ b/glitch/analysis/terraform/public_ip.py @@ -5,7 +5,7 @@ class TerraformPublicIp(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): for config in SecurityVisitor._PUBLIC_IP_CONFIGS: @@ -22,7 +22,7 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._PUBLIC_IP_CONFIGS: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and not element.has_variable - and elem_value.lower() not in config['values'] + and element.value.lower() not in config['values'] and config['values'] != [""]): return [Error('sec_public_ip', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/replication.py b/glitch/analysis/terraform/replication.py index 3757b46..0647715 100644 --- a/glitch/analysis/terraform/replication.py +++ b/glitch/analysis/terraform/replication.py @@ -6,7 +6,7 @@ class TerraformReplication(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type == "resource.aws_s3_bucket"): @@ -28,6 +28,6 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._REPLICATION: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""] - and not element.has_variable and elem_value.lower() not in config['values']): + and not element.has_variable and element.value.lower() not in config['values']): return [Error('sec_replication', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/sensitive_iam_action.py b/glitch/analysis/terraform/sensitive_iam_action.py index 997ec78..d3b0919 100644 --- a/glitch/analysis/terraform/sensitive_iam_action.py +++ b/glitch/analysis/terraform/sensitive_iam_action.py @@ -5,7 +5,7 @@ class TerraformSensitiveIAMAction(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] def convert_string_to_dict(input_string): diff --git a/glitch/analysis/terraform/ssl_tls_policy.py b/glitch/analysis/terraform/ssl_tls_policy.py index f2e7eec..e42d56a 100644 --- a/glitch/analysis/terraform/ssl_tls_policy.py +++ b/glitch/analysis/terraform/ssl_tls_policy.py @@ -5,7 +5,7 @@ class TerraformSslTlsPolicy(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): if (element.type in ["resource.aws_alb_listener", "resource.aws_lb_listener"]): @@ -26,6 +26,6 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for policy in SecurityVisitor._SSL_TLS_POLICY: if (element.name == policy['attribute'] and au_type in policy['au_type'] and parent_name in policy['parents'] and not element.has_variable - and elem_value.lower() not in policy['values']): + and element.value.lower() not in policy['values']): return [Error('sec_ssl_tls_policy', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/threats_detection.py b/glitch/analysis/terraform/threats_detection.py index 66ce393..29226cf 100644 --- a/glitch/analysis/terraform/threats_detection.py +++ b/glitch/analysis/terraform/threats_detection.py @@ -5,7 +5,7 @@ class TerraformThreatsDetection(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): for config in SecurityVisitor._MISSING_THREATS_DETECTION_ALERTS: @@ -22,9 +22,9 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._MISSING_THREATS_DETECTION_ALERTS: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""]): - if ("any_not_empty" in config['values'] and elem_value.lower() == ""): + if ("any_not_empty" in config['values'] and element.value.lower() == ""): return [Error('sec_threats_detection_alerts', element, file, repr(element))] elif ("any_not_empty" not in config['values'] and not element.has_variable and - elem_value.lower() not in config['values']): + element.value.lower() not in config['values']): return [Error('sec_threats_detection_alerts', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/versioning.py b/glitch/analysis/terraform/versioning.py index c96bfbc..673baa9 100644 --- a/glitch/analysis/terraform/versioning.py +++ b/glitch/analysis/terraform/versioning.py @@ -5,7 +5,7 @@ class TerraformVersioning(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): for config in SecurityVisitor._VERSIONING: @@ -17,6 +17,6 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, for config in SecurityVisitor._VERSIONING: if (element.name == config['attribute'] and au_type in config['au_type'] and parent_name in config['parents'] and config['values'] != [""] - and not element.has_variable and elem_value.lower() not in config['values']): + and not element.has_variable and element.value.lower() not in config['values']): return [Error('sec_versioning', element, file, repr(element))] return errors \ No newline at end of file diff --git a/glitch/analysis/terraform/weak_password_key_policy.py b/glitch/analysis/terraform/weak_password_key_policy.py index b2617cd..0d19252 100644 --- a/glitch/analysis/terraform/weak_password_key_policy.py +++ b/glitch/analysis/terraform/weak_password_key_policy.py @@ -5,7 +5,7 @@ class TerraformWeakPasswordKeyPolicy(TerraformSmellChecker): - def check(self, element, file: str, code, elem_value: str = "", au_type = None, parent_name = ""): + def check(self, element, file: str, code, au_type = None, parent_name = ""): errors = [] if isinstance(element, AtomicUnit): for policy in SecurityVisitor._PASSWORD_KEY_POLICY: @@ -19,18 +19,18 @@ def check(self, element, file: str, code, elem_value: str = "", au_type = None, if (element.name == policy['attribute'] and au_type in policy['au_type'] and parent_name in policy['parents'] and policy['values'] != [""]): if (policy['logic'] == "equal"): - if ("any_not_empty" in policy['values'] and elem_value.lower() == ""): + if ("any_not_empty" in policy['values'] and element.value.lower() == ""): return [Error('sec_weak_password_key_policy', element, file, repr(element))] elif ("any_not_empty" not in policy['values'] and not element.has_variable and - elem_value.lower() not in policy['values']): + element.value.lower() not in policy['values']): return [Error('sec_weak_password_key_policy', element, file, repr(element))] - elif ((policy['logic'] == "gte" and not elem_value.isnumeric()) or - (policy['logic'] == "gte" and elem_value.isnumeric() - and int(elem_value) < int(policy['values'][0]))): + elif ((policy['logic'] == "gte" and not element.value.isnumeric()) or + (policy['logic'] == "gte" and element.value.isnumeric() + and int(element.value) < int(policy['values'][0]))): return [Error('sec_weak_password_key_policy', element, file, repr(element))] - elif ((policy['logic'] == "lte" and not elem_value.isnumeric()) or - (policy['logic'] == "lte" and elem_value.isnumeric() - and int(elem_value) > int(policy['values'][0]))): + elif ((policy['logic'] == "lte" and not element.value.isnumeric()) or + (policy['logic'] == "lte" and element.value.isnumeric() + and int(element.value) > int(policy['values'][0]))): return [Error('sec_weak_password_key_policy', element, file, repr(element))] return errors \ No newline at end of file