From 17c9345e813330cbb674f1d5400a60deb30a95ff Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 06:52:11 +0000 Subject: [PATCH] Update rule metadata (#1537) Co-authored-by: rudy-regazzoni-sonarsource --- iac-extensions/arm/sonarpedia.json | 2 +- iac-extensions/cloudformation/sonarpedia.json | 2 +- .../rules/cloudformation/S6249.html | 14 ++++++---- iac-extensions/docker/sonarpedia.json | 2 +- .../sonar/l10n/docker/rules/docker/S7026.html | 25 +++++++++++------ iac-extensions/kubernetes/sonarpedia.json | 2 +- .../kubernetes/rules/kubernetes/S6430.html | 2 +- iac-extensions/terraform/sonarpedia.json | 2 +- .../l10n/terraform/rules/terraform/S6382.html | 28 +++++++++---------- 9 files changed, 45 insertions(+), 34 deletions(-) diff --git a/iac-extensions/arm/sonarpedia.json b/iac-extensions/arm/sonarpedia.json index 935f07be5c..e540901f66 100644 --- a/iac-extensions/arm/sonarpedia.json +++ b/iac-extensions/arm/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "AZURE_RESOURCE_MANAGER" ], - "latest-update": "2024-09-02T14:46:42.140530Z", + "latest-update": "2024-09-17T06:40:06.632039Z", "options": { "no-language-in-filenames": true, "preserve-filenames": true diff --git a/iac-extensions/cloudformation/sonarpedia.json b/iac-extensions/cloudformation/sonarpedia.json index 21378c23dd..203d7b8819 100644 --- a/iac-extensions/cloudformation/sonarpedia.json +++ b/iac-extensions/cloudformation/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "CLOUD_FORMATION" ], - "latest-update": "2024-09-02T14:46:49.511642Z", + "latest-update": "2024-09-17T06:40:14.503224Z", "options": { "no-language-in-filenames": true, "preserve-filenames": true diff --git a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6249.html b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6249.html index 676ec804ec..54f94ec582 100644 --- a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6249.html +++ b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6249.html @@ -29,7 +29,7 @@

Sensitive Code Example

S3Bucket: Type: 'AWS::S3::Bucket' # Sensitive Properties: - BucketName: "mynoncompliantbucket" + BucketName: "bucketname" S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' @@ -43,7 +43,9 @@

Sensitive Code Example

AWS: # Sensitive: only one principal is forced to use https - 'arn:aws:iam::123456789123:root' Action: "*" - Resource: arn:aws:s3:::mynoncompliantbuckets6249/* + Resource: + - arn:aws:s3:::bucketname + - arn:aws:s3:::bucketname/* Condition: Bool: "aws:SecureTransport": false @@ -56,12 +58,12 @@

Compliant Solution

S3Bucket: Type: 'AWS::S3::Bucket' # Compliant Properties: - BucketName: "mycompliantbucket" + BucketName: "bucketname" S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: - Bucket: "mycompliantbucket" + Bucket: !Ref S3Bucket PolicyDocument: Version: "2012-10-17" Statement: @@ -69,7 +71,9 @@

Compliant Solution

Principal: AWS: "*" # all principals should use https Action: "*" # for any actions - Resource: arn:aws:s3:::mycompliantbucket/* # for any resources + Resource: # for the bucket and all its objects + - arn:aws:s3:::bucketname + - arn:aws:s3:::bucketname/* Condition: Bool: "aws:SecureTransport": false diff --git a/iac-extensions/docker/sonarpedia.json b/iac-extensions/docker/sonarpedia.json index ab2169aa6e..40a1322674 100644 --- a/iac-extensions/docker/sonarpedia.json +++ b/iac-extensions/docker/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "DOCKER" ], - "latest-update": "2024-09-02T14:46:56.877054Z", + "latest-update": "2024-09-17T06:40:22.621532Z", "options": { "no-language-in-filenames": true, "preserve-filenames": true diff --git a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S7026.html b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S7026.html index 77ef476386..45adbb92c3 100644 --- a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S7026.html +++ b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S7026.html @@ -1,4 +1,4 @@ -

In Dockerfiles, a common use case is to download remote resources to use during the build. This is often done using third-party tools inside the +

In Dockerfiles, a common use case is downloading remote resources to use during the build. This is often done using third-party tools inside the image, like wget or curl. However, this practice can lead to inefficient use of Docker’s build cache and unnecessary complexity. The ADD instruction is a built-in feature of Docker that is specifically designed for this purpose, making it a more efficient and safer choice.

@@ -7,28 +7,35 @@

Why is this an issue?

lead to several issues, particularly related to the inefficient use of Docker’s build cache.

Docker’s build cache is a powerful feature that can significantly speed up the build process by reusing intermediate layers from previous builds if no changes were detected. When you use wget, curl, or similar commands, these commands are run during the build process, and -Docker has no way of knowing if the remote content has changed without executing the commands. This makes it impossible to effectively cache the -results of these commands.

-

Moreover, the installation of third-party tools inside the image can introduce unnecessary complexity, dependency on external tools and increase -the size of the final image.

+Docker has no way of knowing if the remote content has changed without executing the commands. This makes it impossible to cache the results of these +commands efficiently.

+

Moreover, installing third-party tools inside the image can introduce unnecessary complexity, dependency on external tools and increase the size of +the final image.

+

Exceptions

+

In some cases, the ADD instruction is not able to replace the wget or curl command, especially if specific +HTTP parameters are required: method, headers, body, etc.

+
+FROM ubuntu:20.04
+RUN wget --header="Authorization: Bearer your_token" --method=POST https://example.com/resource
+

How to fix it

Code examples

Noncompliant code example

-FROM ununtu:20.04
+FROM ubuntu:20.04
 RUN wget https://example.com/resource -O /path/to/resource
 
-FROM ununtu:20.04
+FROM ubuntu:20.04
 RUN curl -o /path/to/resource https://example.com/resource && echo "123456abcdef /path/to/resource" | sha256sum --check

Compliant solution

-FROM ununtu:20.04
+FROM ubuntu:20.04
 ADD https://example.com/resource /path/to/resource
 
-FROM ununtu:20.04
+FROM ubuntu:20.04
 ADD --checksum=sha256:123456abcdef https://example.com/resource /path/to/resource

Resources

diff --git a/iac-extensions/kubernetes/sonarpedia.json b/iac-extensions/kubernetes/sonarpedia.json index 821d05c15d..609424e2cd 100644 --- a/iac-extensions/kubernetes/sonarpedia.json +++ b/iac-extensions/kubernetes/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "KUBERNETES" ], - "latest-update": "2024-09-02T14:47:03.763797Z", + "latest-update": "2024-09-17T06:40:30.052792Z", "options": { "no-language-in-filenames": true, "preserve-filenames": true diff --git a/iac-extensions/kubernetes/src/main/resources/org/sonar/l10n/kubernetes/rules/kubernetes/S6430.html b/iac-extensions/kubernetes/src/main/resources/org/sonar/l10n/kubernetes/rules/kubernetes/S6430.html index 98696d0bf6..22b7f81168 100644 --- a/iac-extensions/kubernetes/src/main/resources/org/sonar/l10n/kubernetes/rules/kubernetes/S6430.html +++ b/iac-extensions/kubernetes/src/main/resources/org/sonar/l10n/kubernetes/rules/kubernetes/S6430.html @@ -51,6 +51,6 @@

Compliant Solution

See

diff --git a/iac-extensions/terraform/sonarpedia.json b/iac-extensions/terraform/sonarpedia.json index cccfabaaac..d32dfd4090 100644 --- a/iac-extensions/terraform/sonarpedia.json +++ b/iac-extensions/terraform/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "TERRAFORM" ], - "latest-update": "2024-09-02T14:47:11.602411Z", + "latest-update": "2024-09-17T06:40:38.583237Z", "options": { "no-language-in-filenames": true, "preserve-filenames": true diff --git a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6382.html b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6382.html index afc2717709..f1b1227fdc 100644 --- a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6382.html +++ b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6382.html @@ -17,11 +17,15 @@

Ask Yourself Whether

Recommended Secure Coding Practices

Enable certificate-based authentication.

Sensitive Code Example

-

For App Service:

+

For Linux and Windows Web Apps:

-resource "azurerm_app_service" "example" {
+resource "azurerm_linux_web_app" "example" {
   client_cert_enabled = false # Sensitive
 }
+resource "azurerm_linux_web_app" "example2" {
+  client_certificate_enabled = true
+  client_certificate_mode = "Optional" # Sensitive
+}

For Logic App Standards and Function Apps:

@@ -43,21 +47,18 @@

Sensitive Code Example

client_certificate_mode = "Optional" # Sensitive } -

For Linux and Windows Web Apps:

+

For App Service:

-resource "azurerm_linux_web_app" "example" {
+resource "azurerm_app_service" "example" {
   client_cert_enabled = false # Sensitive
 }
-resource "azurerm_linux_web_app" "exemple2" {
-  client_cert_enabled = true
-  client_cert_mode = "Optional" # Sensitive
-}

Compliant Solution

-

For App Service:

+

For Linux and Windows Web Apps:

-resource "azurerm_app_service" "example" {
-  client_cert_enabled = true
+resource "azurerm_linux_web_app" "example" {
+  client_certificate_enabled = true
+  client_certificate_mode = "Required"
 }

For Logic App Standards and Compliant Solution client_certificate_mode = "Required" } -

For Linux and Windows Web Apps:

+

For App Service:

-resource "azurerm_linux_web_app" "exemple" {
+resource "azurerm_app_service" "example" {
   client_cert_enabled = true
-  client_cert_mode = "Required"
 }

See