fix(queries): add missing check in ec2 instance has public ip (#5720)

* stage * add missing check in EC2 Instance Has Public IP * add negative samples * add cleanPath * escaping html * fix unhandled error * ignore command warning * fix //#nosec * update no sec * ignore gosec * remove test.json
Checkmarx · Aug 23, 2022 · 0d3461a · 0d3461a
1 parent 4006b83
commit 0d3461a
Show file tree

Hide file tree

Showing 9 changed files with 68 additions and 7 deletions.
diff --git a/.github/scripts/report/e2e-html.go b/.github/scripts/report/e2e-html.go
@@ -51,6 +51,7 @@ func includeCSS(name string) template.HTML {
 	if err != nil {
 		return ""
 	}
+	/* #nosec */
 	return template.HTML("<style>" + cssMinified + "</style>") //nolint
 }
 
@@ -61,6 +62,7 @@ func includeJS(name string) template.HTML {
 	if err != nil {
 		return ""
 	}
+	/* #nosec */
 	return template.HTML("<script>" + jsMinified + "</script>") //nolint
 }
 

diff --git a/.github/scripts/report/main.go b/.github/scripts/report/main.go
@@ -64,7 +64,7 @@ func main() {
 	flag.Parse()
 
 	// Read TestLog (NDJSON)
-	jsonTestsOutput, err := os.Open(filepath.Join(filepath.ToSlash(testPath), testName))
+	jsonTestsOutput, err := os.Open(filepath.Clean(filepath.Join(filepath.ToSlash(testPath), testName)))
 	if err != nil {
 		fmt.Printf("Error when trying to open: %v\n", filepath.Join(filepath.ToSlash(testPath), testName))
 		os.Exit(1)
@@ -112,7 +112,7 @@ func main() {
 
 	// Parse Output from Failed Tests
 	if hasFailures {
-		jsonTestsOutputClean, err := os.Open(filepath.Join(filepath.ToSlash(testPath), testName))
+		jsonTestsOutputClean, err := os.Open(filepath.Clean(filepath.Join(filepath.ToSlash(testPath), testName)))
 		if err != nil {
 			fmt.Printf("Error when trying to open: %v\n", filepath.Join(filepath.ToSlash(testPath), testName))
 			os.Exit(1)
@@ -121,7 +121,11 @@ func main() {
 		decoder2 := json.NewDecoder(jsonTestsOutputClean)
 		for decoder2.More() {
 			var log TestLog
-			decoder2.Decode(&log)
+			errDecoder := decoder2.Decode(&log)
+			if errDecoder != nil {
+				fmt.Printf("Error when decoding: %w\n", log)
+				os.Exit(1)
+			}
 
 			if log.Action != "output" {
 				continue

diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/query.rego b/assets/queries/ansible/aws/ec2_instance_has_public_ip/query.rego
@@ -1,13 +1,15 @@
 package Cx
 
 import data.generic.ansible as ansLib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
 	task := ansLib.tasks[id][t]
 	modules := {"amazon.aws.ec2", "ec2"}
 	ec2 := task[modules[m]]
 	checkState(ec2)
 
+	not common_lib.valid_key(ec2, "network_interfaces")
 	ansLib.isAnsibleTrue(ec2.assign_public_ip)
 
 	# There is no default value for assign_public_ip

diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/negative.yaml b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/negative.yaml
@@ -10,3 +10,17 @@
     image_id: ami-04b762b4289fba92b
     key_name: my_ssh_key
     instance_type: t2.micro
+- name: Create an ec2 launch template
+  community.aws.ec2_launch_template:
+    name: "my_template"
+    image_id: "ami-04b762b4289fba92b"
+    key_name: my_ssh_key
+    instance_type: t2.micro
+    network_interfaces:
+      - interface_type: interface
+        ipv6_addresses: []
+        mac_address: '0 e: 0 e: 36: 60: 67: cf'
+        network_interface_id: eni - 061 dee20eba3b445a
+        owner_id: '721066863947'
+        source_dest_check: true
+        status: " in -use"
diff --git a/assets/queries/cloudFormation/aws/ec2_subnet_mapping_public_ip_on_launch/metadata.json b/assets/queries/cloudFormation/aws/ec2_subnet_mapping_public_ip_on_launch/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "b3de4e4c-14be-4159-b99d-9ad194365e4c",
-  "queryName": "EC2 Instance Has Public IP",
+  "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch",
   "severity": "HIGH",
   "category": "Networking and Firewall",
   "descriptionText": "EC2 Subnet should not have MapPublicIpOnLaunch set to true",

diff --git a/...udFormation/aws/ec2_subnet_mapping_public_ip_on_launch/test/positive_expected_result.json b/...udFormation/aws/ec2_subnet_mapping_public_ip_on_launch/test/positive_expected_result.json
@@ -1,12 +1,12 @@
 [
   {
-    "queryName": "EC2 Instance Has Public IP",
+    "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch",
     "severity": "HIGH",
     "line": 7,
     "fileName": "positive1.yaml"
   },
   {
-    "queryName": "EC2 Instance Has Public IP",
+    "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch",
     "severity": "HIGH",
     "line": 8,
     "fileName": "positive2.json"

diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/query.rego b/assets/queries/terraform/aws/ec2_instance_has_public_ip/query.rego
@@ -7,6 +7,7 @@ CxPolicy[result] {
 	resource := input.document[i].resource.aws_instance[name]
 
 	not common_lib.valid_key(resource, "associate_public_ip_address")
+	not common_lib.valid_key(resource, "network_interface")
 
 	result := {
 		"documentId": input.document[i].id,
@@ -23,7 +24,9 @@ CxPolicy[result] {
 CxPolicy[result] {
 	module := input.document[i].module[name]
 	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_instance", "associate_public_ip_address")
+	netInterfaceKey := common_lib.get_module_equivalent_key("aws", module.source, "aws_instance", "network_interface")
 
+	not common_lib.valid_key(module, netInterfaceKey)
 	not common_lib.valid_key(module, keyToCheck)
 
 	result := {
@@ -42,6 +45,7 @@ CxPolicy[result] {
 	resource := input.document[i].resource.aws_instance[name]
 
 	isTrue(resource.associate_public_ip_address)
+	not common_lib.valid_key(resource, "network_interface")
 
 	result := {
 		"documentId": input.document[i].id,
@@ -58,7 +62,9 @@ CxPolicy[result] {
 CxPolicy[result] {
 	module := input.document[i].module[name]
 	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_instance", "associate_public_ip_address")
+	netInterfaceKey := common_lib.get_module_equivalent_key("aws", module.source, "aws_instance", "network_interface")
 
+	not common_lib.valid_key(module, netInterfaceKey)
 	isTrue(module[keyToCheck])
 
 	result := {

diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/negative3.tf b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/negative3.tf
@@ -0,0 +1,33 @@
+module "ec2_instance" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "~> 3.0"
+
+  name = "single-instance"
+
+  ami                    = "ami-ebd02392"
+  instance_type          = "t2.micro"
+  key_name               = "user1"
+  monitoring             = true
+  vpc_security_group_ids = ["sg-12345678"]
+  subnet_id              = "subnet-eddcdzz4"
+
+  network_interface {
+    network_interface_id = aws_network_interface.this.id
+    device_index         = 0
+  }
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+
+resource "aws_network_interface" "this" {
+  subnet_id       = var.private_subnet_id
+  security_groups = [aws_security_group.this.id]
+}
+
+resource "aws_security_group" "this" {
+  name        = "example"
+  description = "Example Security Group"
+}
diff --git a/e2e/utils/helper.go b/e2e/utils/helper.go
@@ -29,7 +29,7 @@ func RunCommand(kicsArgs []string, useDocker, useMock bool, kicsDockerImage stri
 		source, args = runKicsDev(kicsArgs)
 	}
 
-	cmd := exec.Command(source, args...)
+	cmd := exec.Command(source, args...) //#nosec
 	cmd.Env = append(os.Environ(), descriptionServer)
 	stdOutput, err := cmd.CombinedOutput()
 	if err != nil {