fix(misconf): fix for Azure Storage Account network acls adaptation

Signed-off-by: nikpivkin <[email protected]>
aquasecurity · Sep 26, 2024 · 1d5932b · 1d5932b
1 parent 37d549e
commit 1d5932b
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 16 deletions.
diff --git a/pkg/iac/adapters/arm/storage/adapt.go b/pkg/iac/adapters/arm/storage/adapt.go
@@ -18,20 +18,18 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
 	var accounts []storage.Account
 	for _, resource := range deployment.GetResourcesByType("Microsoft.Storage/storageAccounts") {
 
-		var networkRules []storage.NetworkRule
-		for _, acl := range resource.Properties.GetMapValue("networkAcls").AsList() {
+		acl := resource.Properties.GetMapValue("networkAcls")
 
-			var bypasses []types.StringValue
-			bypassProp := acl.GetMapValue("bypass")
-			for _, bypass := range strings.Split(bypassProp.AsString(), ",") {
-				bypasses = append(bypasses, types.String(bypass, bypassProp.GetMetadata()))
-			}
+		var bypasses []types.StringValue
+		bypassProp := acl.GetMapValue("bypass")
+		for _, bypass := range strings.Split(bypassProp.AsString(), ",") {
+			bypasses = append(bypasses, types.String(strings.TrimSpace(bypass), bypassProp.GetMetadata()))
+		}
 
-			networkRules = append(networkRules, storage.NetworkRule{
-				Metadata:       acl.GetMetadata(),
-				Bypass:         bypasses,
-				AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()),
-			})
+		networkRule := storage.NetworkRule{
+			Metadata:       acl.GetMetadata(),
+			Bypass:         bypasses,
+			AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()),
 		}
 
 		var queues []storage.Queue
@@ -52,7 +50,7 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
 
 		account := storage.Account{
 			Metadata:     resource.Metadata,
-			NetworkRules: networkRules,
+			NetworkRules: []storage.NetworkRule{networkRule},
 			EnforceHTTPS: resource.Properties.GetMapValue("supportsHttpsTrafficOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
 			Containers:   containers,
 			QueueProperties: storage.QueueProperties{

diff --git a/pkg/iac/adapters/arm/storage/adapt_test.go b/pkg/iac/adapters/arm/storage/adapt_test.go
@@ -6,6 +6,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/aquasecurity/trivy/internal/testutil"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/storage"
 	azure2 "github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
 	"github.com/aquasecurity/trivy/pkg/iac/types"
 )
@@ -41,6 +43,10 @@ func Test_AdaptStorage(t *testing.T) {
 				Properties: azure2.NewValue(map[string]azure2.Value{
 					"minimumTlsVersion":        azure2.NewValue("TLS1_2", types.NewTestMetadata()),
 					"supportsHttpsTrafficOnly": azure2.NewValue(true, types.NewTestMetadata()),
+					"networkAcls": azure2.NewValue(map[string]azure2.Value{
+						"bypass":        azure2.NewValue("Logging, Metrics", types.NewTestMetadata()),
+						"defaultAction": azure2.NewValue("Allow", types.NewTestMetadata()),
+					}, types.NewTestMetadata()),
 				}, types.NewTestMetadata()),
 			},
 		},
@@ -50,8 +56,19 @@ func Test_AdaptStorage(t *testing.T) {
 
 	require.Len(t, output.Accounts, 1)
 
-	account := output.Accounts[0]
-	assert.Equal(t, "TLS1_2", account.MinimumTLSVersion.Value())
-	assert.True(t, account.EnforceHTTPS.Value())
+	expected := storage.Storage{
+		Accounts: []storage.Account{{
+			MinimumTLSVersion: types.StringTest("TLS1_2"),
+			EnforceHTTPS:      types.BoolTest(true),
+			NetworkRules: []storage.NetworkRule{{
+				Bypass: []types.StringValue{
+					types.StringTest("Logging"),
+					types.StringTest("Metrics"),
+				},
+				AllowByDefault: types.BoolTest(true),
+			}},
+		}},
+	}
 
+	testutil.AssertDefsecEqual(t, expected, output)
 }