TODO tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.
Sometimes the developer will not have the time or will simply forget to get back to that tag.
This rule is meant to track those tags and to ensure that they do not go unnoticed.
-# TODO AWSTemplateFormatVersion: 2010-09-09-
When the CloudFormation parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the number of files that do not parse but also to easily find out why they do not parse.
diff --git a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S4423.html b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S4423.html index d885cf868a..b086cf367b 100644 --- a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S4423.html +++ b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S4423.html @@ -1,3 +1,4 @@ +This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is used or allowed.
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the @@ -6,7 +7,7 @@
In most cases, using the default system configuration is not compliant. Indeed, an application might get deployed on a wide range of systems with different configurations. While using a system’s default value might be safe on modern up-to-date systems, this might not be the case on older systems. It is therefore recommended to explicitly set a safe configuration in every case.
-For Amazon OpenSearch domains:
AWSTemplateFormatVersion: 2010-09-09 @@ -34,7 +35,7 @@-Noncompliant Code Example
CustomApi: # Noncompliant Type: AWS::ApiGatewayV2::DomainName
For Amazon OpenSearch domains:
AWSTemplateFormatVersion: 2010-09-09 @@ -65,7 +66,7 @@-Compliant Solution
DomainNameConfigurations: - SecurityPolicy: "TLS_1_2"
Shared conventions allow teams to collaborate effectively. This rule allows to check that all tag keys match a provided regular expression.
-With default provided regular expression ^([A-Z]:)([A-Z][A-Za-z]*)$:
AWSTemplateFormatVersion: 2010-09-09 @@ -15,7 +16,7 @@Noncompliant Code Example
Value: "PROD"
-
AWSTemplateFormatVersion: 2010-09-09 @@ -30,7 +31,7 @@-Compliant Solution
- Key: "Anycompany:EnvironmentType" Value: "PROD"
Some AWS services create Log Groups implicitly and don’t let the developer choose the Log Group name. This means that
CloudFormation does not require the developer to declare the Log Group that the resource will write to.
If a Log Group is not declared within CloudFormation, then this Log Group will be automatically created at run time and
@@ -17,7 +18,7 @@
# There is no "Log Group" declared corresponding to "MyLambdaFunction": logs will not be managed by CloudFormation MyLambdaFunction: @@ -26,7 +27,7 @@-Noncompliant Code Example
Runtime: nodejs12.x Description: Example of Lambda Function
Example with Ref
MyLambdaFunction: diff --git a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6295.html b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6295.html index 02896cc487..f1266d95af 100644 --- a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6295.html +++ b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6295.html @@ -1,3 +1,4 @@ +Why is this an issue?
Log streams created on AWS will stay forever unless the
@@ -5,7 +6,7 @@AWS::Logs::LogGroupto which they belong to was configured with a retention policy.Log Groupsshould have their “RetentionInDays” property set with a valid value to be sure the log events are kept only for the expected duration.Keeping the logs for ever doesn’t come for free: AWS will charge for keeping these logs. Also from a security point of view, keeping the data for ever may be not compliant with company policy or regulatory rules.
Note: this rule doesn’t check if the value provided to "RetentionInDays" is valid because AWS CloudFormation Linter (cfn-lint) do it already
-Noncompliant Code Example
+Noncompliant code example
MyLambdaFunction: Type: AWS::Lambda::Function @@ -19,7 +20,7 @@-Noncompliant Code Example
LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambdaFunction]] # Noncompliant: "RetentionInDays" property is not set: logs are kept for everCompliant Solution
+Compliant solution
MyLambdaFunction: Type: AWS::Lambda::Function diff --git a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6302.html b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6302.html index 162d73a5d3..acc9b0ad90 100644 --- a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6302.html +++ b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6302.html @@ -13,7 +13,7 @@Recommended Secure Coding Practices
It’s recommended to apply the least privilege principle, i.e. by only granting the necessary permissions to identities. A good practice is to start with the very minimum set of permissions and to refine the policy over time. In order to fix overly permissive policies already deployed in production, a strategy could be to review the monitored activity in order to reduce the set of permissions to those most used.
-Noncompliant Code Example
+Sensitive Code Example
A customer-managed policy that grants all permissions by using the wildcard (*) in the
Actionproperty:MyPolicy: diff --git a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6304.html b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6304.html index 2a88eb03a5..9336d72cb3 100644 --- a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6304.html +++ b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6304.html @@ -10,7 +10,7 @@Recommended Secure Coding Practices
to organize or tag resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors. -Noncompliant Code Example
+Sensitive Code Example
Update permission is granted for all policies using the wildcard (*) in the
Resourceproperty:MyPolicy: diff --git a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6317.html b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6317.html index c12636c524..19cf1f2b24 100644 --- a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6317.html +++ b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6317.html @@ -1,3 +1,4 @@ +Why is this an issue?
AWS Identity and Access Management (IAM) is the service that defines access to AWS resources. One of the core components of IAM is the policy which, when attached to an identity or a resource, defines its permissions. Policies granting permission to an Identity (a User, a Group or Role) are called identity-based policies. They add the ability to an identity to perform a predefined set of actions on a list of resources.
@@ -151,7 +152,7 @@The general recommendation to protect against privilege escalation is to restrict the resources to which sensitive permissions are granted. The first example above is a good demonstration of sensitive permissions being used with a narrow scope of resources and where no privilege escalation is possible.
-Noncompliant Code Example
+Noncompliant code example
This policy allows to update the code of any lambda function. Updating the code of a lambda executing with high privileges will lead to privilege escalation.
@@ -172,7 +173,7 @@-Noncompliant Code Example
- lambda:UpdateFunctionCode Resource: "*"Compliant Solution
+Compliant solution
Narrow the policy to only allow to update the code of certain lambda functions.
AWSTemplateFormatVersion: 2010-09-09 @@ -191,7 +192,7 @@-Compliant Solution
- lambda:UpdateFunctionCode Resource: "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"See
+Resources
Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and
outbound traffic.
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services
traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.
It’s recommended to restrict access to remote administration services to only trusted IP addresses. In practice, trusted IP addresses are those held by system administrators or those of bastion-like servers.
-An ingress rule allowing all inbound SSH traffic:
MySecurityGroup: @@ -19,7 +20,7 @@-Noncompliant Code Example
ToPort: 22 # SSH traffic CidrIp: "0.0.0.0/0" # from all IP addresses is authorized
An ingress rule allowing inbound SSH traffic from specific IP addresses:
MySecurityGroup: @@ -33,7 +34,7 @@-Compliant Solution
ToPort: 22 CidrIp: "1.2.3.0/24"
The goal is to prevent the component from intercepting traffic coming in via the public IP address. If the cloud resource does not support the absence of a public IP address, assign a public IP address to it, but do not create listeners for the public IP address.
-DMS and EC2 instances have a public IP address assigned to them:
DMSInstance: diff --git a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6333.html b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6333.html index ba331623e3..d118b12ff1 100644 --- a/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6333.html +++ b/iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6333.html @@ -9,7 +9,7 @@Ask Yourself Whether
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.
-Noncompliant Code Example
+Sensitive Code Example
A public API that doesn’t have access control implemented:
NoncompliantApiGatewayMethod: diff --git a/iac-extensions/docker/sonarpedia.json b/iac-extensions/docker/sonarpedia.json index dbd5a67aac..297aaac90c 100644 --- a/iac-extensions/docker/sonarpedia.json +++ b/iac-extensions/docker/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "DOCKER" ], - "latest-update": "2023-04-03T19:15:35.689516Z", + "latest-update": "2023-05-08T07:12:57.424818500Z", "options": { "no-language-in-filenames": true, "preserve-filenames": true diff --git a/iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/MountWorldPermissionCheck.java b/iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/MountWorldPermissionCheck.java index ed22f18687..cfc6f00096 100644 --- a/iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/MountWorldPermissionCheck.java +++ b/iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/MountWorldPermissionCheck.java @@ -23,18 +23,18 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.annotation.CheckForNull; -import org.sonar.iac.common.api.tree.impl.TextPointer; -import org.sonar.iac.common.api.tree.impl.TextRange; import org.sonar.check.Rule; import org.sonar.iac.common.api.checks.CheckContext; import org.sonar.iac.common.api.checks.IacCheck; import org.sonar.iac.common.api.checks.InitContext; +import org.sonar.iac.common.api.tree.impl.TextPointer; +import org.sonar.iac.common.api.tree.impl.TextRange; import org.sonar.iac.common.api.tree.impl.TextRanges; +import org.sonar.iac.docker.checks.utils.CheckUtils; import org.sonar.iac.docker.symbols.ArgumentResolution; import org.sonar.iac.docker.tree.api.Argument; import org.sonar.iac.docker.tree.api.Flag; import org.sonar.iac.docker.tree.api.RunInstruction; -import org.sonar.iac.docker.utils.CheckUtils; @Rule(key = "S6469") public class MountWorldPermissionCheck implements IacCheck { diff --git a/iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/utils/CheckUtils.java b/iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/utils/CheckUtils.java index 4a4330fe4d..223b805271 100644 --- a/iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/utils/CheckUtils.java +++ b/iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/utils/CheckUtils.java @@ -20,8 +20,10 @@ package org.sonar.iac.docker.checks.utils; import java.util.List; +import java.util.Optional; import java.util.stream.Collectors; import org.sonar.iac.docker.symbols.ArgumentResolution; +import org.sonar.iac.docker.tree.api.Flag; import org.sonar.iac.docker.tree.api.HasArguments; public class CheckUtils { @@ -42,4 +44,8 @@ public static String getFileExtension(String name) { } return name.substring(lastIndexOf + 1); } + + public static Optional-getParamByName(List params, String name) { + return params.stream().filter(param -> name.equals(param.name())).findFirst(); + } } diff --git a/iac-extensions/docker/src/main/java/org/sonar/iac/docker/utils/CheckUtils.java b/iac-extensions/docker/src/main/java/org/sonar/iac/docker/utils/CheckUtils.java deleted file mode 100644 index a633543a18..0000000000 --- a/iac-extensions/docker/src/main/java/org/sonar/iac/docker/utils/CheckUtils.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * SonarQube IaC Plugin - * Copyright (C) 2021-2023 SonarSource SA - * mailto:info AT sonarsource DOT com - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 3 of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - */ -package org.sonar.iac.docker.utils; - -import java.util.List; -import java.util.Optional; -import org.sonar.iac.docker.tree.api.Flag; - -/** - * Class to define global methods than can be used to help writing checks. - * Any generalized method that can be used in multiple checks should be put there. - */ -public class CheckUtils { - - private CheckUtils() { - } - - public static Optional getParamByName(List params, String name) { - return params.stream().filter(param -> name.equals(param.name())).findFirst(); - } -} diff --git a/iac-extensions/docker/src/main/java/org/sonar/iac/docker/utils/package-info.java b/iac-extensions/docker/src/main/java/org/sonar/iac/docker/utils/package-info.java deleted file mode 100644 index 8cbfddf1d6..0000000000 --- a/iac-extensions/docker/src/main/java/org/sonar/iac/docker/utils/package-info.java +++ /dev/null @@ -1,21 +0,0 @@ -/* - * SonarQube IaC Plugin - * Copyright (C) 2021-2023 SonarSource SA - * mailto:info AT sonarsource DOT com - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 3 of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - */ -@javax.annotation.ParametersAreNonnullByDefault -package org.sonar.iac.docker.utils; diff --git a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S1135.html b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S1135.html index 7bfaf149bc..8f647e4a0b 100644 --- a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S1135.html +++ b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S1135.html @@ -1,12 +1,13 @@ + Why is this an issue?
TODOtags are commonly used to mark places where some more code is required, but which the developer wants to implement later.Sometimes the developer will not have the time or will simply forget to get back to that tag.
This rule is meant to track those tags and to ensure that they do not go unnoticed.
-Noncompliant Code Example
+Noncompliant code example
# TODO FROM ubuntu-See
+Resources
diff --git a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S2260.html b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S2260.html index 0c8aeb9b47..71afb8f782 100644 --- a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S2260.html +++ b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S2260.html @@ -1,3 +1,4 @@ +
- MITRE, CWE-546 - Suspicious Comment
Why is this an issue?
When the Dockerfile parser fails, it is possible to record the failure as a violation on the file. This way, not only is it possible to track the number of files that do not parse but also to easily find out why they do not parse.
diff --git a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S4423.html b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S4423.html index 6e04aeb925..87ca168093 100644 --- a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S4423.html +++ b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S4423.html @@ -1,3 +1,4 @@ +Why is this an issue?
This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is used or allowed.
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the @@ -6,7 +7,7 @@
In most cases, using the default system configuration is not compliant. Indeed, an application might get deployed on a wide range of systems with different configurations. While using a system’s default value might be safe on modern up-to-date systems, this might not be the case on older systems. It is therefore recommended to explicitly set a safe configuration in every case.
-Noncompliant Code Example
+Noncompliant code example
HTTP request tools such as
@@ -16,7 +17,7 @@curl,wgetandInvoke-WebRequestoffer the option to choose the version of SSL/TLS that will be used for requests. The following example successfully requests data from a server with an insecure version of TLS. Thus, it is possible that the response was intercepted or tampered with by a third party.Noncompliant Code Example
# Noncompliant RUN curl --tlsv1.0 -O https://tlsv1-0.example.com/downloads/install.shCompliant Solution
+Compliant solution
Choosing a recent, secure version of TLS ensures that the created TLS session is secure and cannot be intercepted. In this example, the minimal version of TLS is set to TLSv1.2, guaranteeing that requests can only be sent over TLSv1.2 or TLSv1.3.
@@ -24,7 +25,7 @@-Compliant Solution
RUN curl --tlsv1.2 -O https://tlsv1-3.example.com/downloads/install.shSee
+Resources
Safer alternatives, such as SHA-256, SHA-512, SHA-3 are recommended, and for password hashing, it’s even
better to use algorithms that do not compute too "quickly", like bcrypt, scrypt, argon2 or pbkdf2
because it slows down brute force attacks.
FROM ubuntu:22.04 diff --git a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S4830.html b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S4830.html index 2b2decb4a0..f19a7357eb 100644 --- a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S4830.html +++ b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S4830.html @@ -1,3 +1,4 @@ +Why is this an issue?
Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.
The certificate chain validation includes these steps:
It’s not recommended to reinvent the wheel by implementing custom certificate chain validation.
TLS libraries provide built-in certificate validation functions that should be used.
-HTTP request tools such as curl, wget and Invoke-WebRequest offer the option to disable certificate
verification. The following example successfully requests data from a server with an insecure certificate. Thus, it is possible that the response was
intercepted or tampered with by a third party.
Enabling certificate verification helps to make sure that the created TLS session is secure and cannot be intercepted. In this example, the option to disable certificate verification is removed, and a request is made to a secure server instead.
@@ -25,7 +26,7 @@-Compliant Solution
RUN curl -O https://new.example.com/downloads/install.sh
Sensitive data has been found in the Dockerfile or Docker image. The data should be considered breached.
If malicious third parties can get a hold of such information, they could impersonate legitimate identities within the organization.
It is a
clear breach of trust in the system, as the systems involved falsely assume that the authenticated entity is who it claims to be.
The consequences
@@ -9,14 +10,14 @@
Note that files exposing the secrets should be securely stored and not exposed to a large sphere. If possible, use a secret vault or another similar component. For example, Docker Swarm provides a secrets service that can be used to handle most confidential data.
-FROM example ARG PASSWORD # Noncompliant RUN wget --user=guest --password="$PASSWORD" https://example.com-
For build-time secrets, use Buildkit’s secret mount type instead:
@@ -37,7 +38,7 @@Compliant Solution
docker run --env-file .env myImage-See
+Resources
Docker offers a feature to mount files and directories for specific RUN instructions when building Docker images. This feature can be
used to provide secrets to the commands that are executed during the build without baking them into the image. Additionally, it can be used to access
SSH agents during the build.
If you are executing a command as a low-privileged user and need to access secrets or agents, you can use the options uid and
gid to provide access without having to resort to world-readable or writable permissions that might expose them to unintended
parties.
RUN --mount=type=secret,id=build_secret,mode=0777 ./installer.sh # Noncompliant-
RUN --mount=type=secret,id=build_secret,uid=1000 ./installer.sh-
The Dockerfile instructions are not case-sensitive. However, they should be in upper case to distinguish them from arguments more easily. Shared coding conventions allow teams to collaborate effectively.
-from ubuntu:22.04 as jammy-
FROM ubuntu:22.04 AS jammydiff --git a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S6506.html b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S6506.html index 3ff7dfbf62..57c42823d2 100644 --- a/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S6506.html +++ b/iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S6506.html @@ -16,20 +16,16 @@
There is a risk if you answered yes to the question.
curl this can be enabled using the option --proto
- "=https".
+ curl this can be enabled using the option --proto "=https".
curl this is done by omitting the
- -L or --location option. In wget this is done by adding the option --max-redirect=0.
- -L or --location option. In wget this is done by adding the option --max-redirect=0. In the examples below, an install script is downloaded using curl or wget and then executed.
While connections made using HTTPS are generally considered secure, https://might-redirect.example.com/install.sh might
- redirect to a
- location that uses HTTP. Downloads made using HTTP are not secure and can be intercepted and modified. An attacker could modify the
- install script to
- run malicious code inside the container.
While connections made using HTTPS are generally considered secure, https://might-redirect.example.com/install.sh might redirect to a
+location that uses HTTP. Downloads made using HTTP are not secure and can be intercepted and modified. An attacker could modify the install script to
+run malicious code inside the container.
curl will not follow redirects unless either -L or --location option is used.
FROM ubuntu:22.04 @@ -45,9 +41,8 @@Noncompliant Code Example
RUN wget --secure-protocol=TLSv1_2 -q -O - https://might-redirect.example.com/install.sh | sh
If you expect the server to redirect the download to a new location, curl can use the option --proto "=https"
- to ensure
- requests are only made using HTTPS. Any attempt to redirect to a location using HTTP will result in an error.
If you expect the server to redirect the download to a new location, curl can use the option --proto "=https" to ensure
+requests are only made using HTTPS. Any attempt to redirect to a location using HTTP will result in an error.
FROM ubuntu:22.04 @@ -55,7 +50,7 @@Compliant Solution
wget does not support this functionality so curl should be used instead.
If you expect the server to return the file without redirects, curl should not be instructed to follow redirects. Remove any
- -L or --location options from the command.
-L or --location options from the command.
FROM ubuntu:22.04 @@ -69,15 +64,11 @@Compliant Solution
--proto <protocols>--max-redirect=--proto <protocols> --max-redirect= TODO tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.
Sometimes the developer will not have the time or will simply forget to get back to that tag.
This rule is meant to track those tags and to ensure that they do not go unnoticed.
-# TODO apiVersion: v1-
When the Kubernetes parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the number of files that do not parse but also to easily find out why they do not parse.
diff --git a/iac-extensions/terraform/sonarpedia.json b/iac-extensions/terraform/sonarpedia.json index c33f905fc7..656dab501d 100644 --- a/iac-extensions/terraform/sonarpedia.json +++ b/iac-extensions/terraform/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "TERRAFORM" ], - "latest-update": "2023-04-03T19:15:07.744944Z", + "latest-update": "2023-05-08T07:14:52.735950819Z", "options": { "no-language-in-filenames": true, "preserve-filenames": true diff --git a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S1135.html b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S1135.html index 30410595e9..598ea22792 100644 --- a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S1135.html +++ b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S1135.html @@ -1,13 +1,14 @@ +TODO tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.
Sometimes the developer will not have the time or will simply forget to get back to that tag.
This rule is meant to track those tags and to ensure that they do not go unnoticed.
-
resource "foo" "bar" {
# TODO
}
-When the HCL-Terraform parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the number of files that do not parse but also to easily find out why they do not parse.
diff --git a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S4423.html b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S4423.html index 3f9a7526b1..ae11ee6003 100644 --- a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S4423.html +++ b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S4423.html @@ -1,3 +1,4 @@ +This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is used or allowed.
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the @@ -6,7 +7,7 @@
In most cases, using the default system configuration is not compliant. Indeed, an application might get deployed on a wide range of systems with different configurations. While using a system’s default value might be safe on modern up-to-date systems, this might not be the case on older systems. It is therefore recommended to explicitly set a safe configuration in every case.
-For Amazon OpenSearch domains:
resource "aws_elasticsearch_domain" "example" {
@@ -37,7 +38,7 @@ Noncompliant Code Example
# ...
}
-For Amazon OpenSearch domains:
resource "aws_elasticsearch_domain" "example" {
@@ -69,7 +70,7 @@ Compliant Solution
# ...
}
-Shared conventions allow teams to collaborate effectively. This rule allows to check that all tag keys match a provided regular expression.
-With default provided regular expression ^([A-Z]:)([A-Z][A-Za-z]*)$:
resource "aws_s3_bucket" "mynoncompliantbucket" {
@@ -10,7 +11,7 @@ Noncompliant Code Example
}
}
-
resource "aws_s3_bucket" "mycompliantbucket" {
bucket = "mybucketname"
@@ -20,7 +21,7 @@ Compliant Solution
}
}
-It’s recommended to apply the least privilege principle, i.e. by only granting the necessary permissions to identities. A good practice is to start with the very minimum set of permissions and to refine the policy over time. In order to fix overly permissive policies already deployed in production, a strategy could be to review the monitored activity in order to reduce the set of permissions to those most used.
-A customer-managed policy for AWS that grants all permissions by using the wildcard (*) in the Action property:
resource "aws_iam_policy" "example" {
diff --git a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6304.html b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6304.html
index 4b059696d1..c24c8a6ae4 100644
--- a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6304.html
+++ b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6304.html
@@ -10,7 +10,7 @@ Recommended Secure Coding Practices
to organize or tag
resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.
-Noncompliant Code Example
+Sensitive Code Example
Update permission is granted for all policies using the wildcard (*) in the Resource property:
resource "aws_iam_policy" "noncompliantpolicy" {
diff --git a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6317.html b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6317.html
index c6de3df8ca..971464c7de 100644
--- a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6317.html
+++ b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6317.html
@@ -1,3 +1,4 @@
+Why is this an issue?
AWS Identity and Access Management (IAM) is the service that defines access to AWS resources. One of the core components of IAM is the policy
which, when attached to an identity or a resource, defines its permissions. Policies granting permission to an Identity (a User, a Group or Role) are
called identity-based policies. They add the ability to an identity to perform a predefined set of actions on a list of resources.
@@ -151,7 +152,7 @@
The general recommendation to protect against privilege escalation is to restrict the resources to which sensitive permissions are granted. The
first example above is a good demonstration of sensitive permissions being used with a narrow scope of resources and where no privilege escalation is
possible.
-Noncompliant Code Example
+Noncompliant code example
This policy allows to update the code of any lambda function. Updating the code of a lambda executing with high privileges will lead to privilege
escalation.
@@ -173,7 +174,7 @@ Noncompliant Code Example
EOF
}
-Compliant Solution
+Compliant solution
Narrow the policy to only allow to update the code of certain lambda functions.
resource "aws_iam_policy" "lambdaUpdatePolicy" {
@@ -194,7 +195,7 @@ Compliant Solution
EOF
}
-See
+Resources
Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and
outbound traffic.
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services
traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.
It’s recommended to restrict access to remote administration services to only trusted IP addresses. In practice, trusted IP addresses are those held by system administrators or those of bastion-like servers.
-An ingress rule allowing all inbound SSH traffic for AWS:
resource "aws_security_group" "noncompliant" {
@@ -61,7 +62,7 @@ Noncompliant Code Example
destination_address_prefix = "*"
}
-An ingress rule allowing inbound SSH traffic from specific IP addresses for AWS:
resource "aws_security_group" "compliant" {
@@ -104,7 +105,7 @@ Compliant Solution
source_ranges = ["10.0.0.1/32"]
}
-There is a risk if you answered yes to any of those questions.
It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.
-A public API that doesn’t have access control implemented:
resource "aws_api_gateway_method" "noncompliantapi" {
diff --git a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6385.html b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6385.html
index 6c0e6f48f9..8dfa8e7551 100644
--- a/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6385.html
+++ b/iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6385.html
@@ -1,10 +1,11 @@
+Why is this an issue?
Azure Resource Manager allows creating custom roles that can be assigned to users, groups, or service principals. A custom role that grants access
to all resources of a subscription will have the same capabilities as the built-in Owner role.
It’s recommended to limit the number of subscription owners in order to mitigate the risk of being breached by a compromised owner. Having a custom
role that grants subscription Owner capabilities makes it way more difficult to enforce this limitation.
This rule raises an issue when a custom role has an assignable scope set to a Subscription or a Management Group and allows all actions
(*)
-Recommended Secure Coding Practices
+Recommendations
resource "azurerm_role_definition" "example" { # Sensitive
name = "example"
@@ -28,7 +29,7 @@ Sensitive Code Example
]
}
-
resource "azurerm_role_definition" "example" {
name = "example
@@ -44,7 +45,7 @@ Compliant Solution
]
}
-TLS configuration of Google Cloud load balancers is defined through SSL policies. There are three managed profiles to choose from:
COMPATIBLE (default), MODERN and RESTRICTED:
resource "google_compute_ssl_policy" "example" {
name = "example"
@@ -18,7 +19,7 @@ Noncompliant Code Example
profile = "COMPATIBLE" # Noncompliant
}
-
resource "google_compute_ssl_policy" "example" {
name = "example"
@@ -26,7 +27,7 @@ Compliant Solution
profile = "RESTRICTED"
}
-