Merge branch 'master' into kics-1343

Checkmarx · Feb 27, 2024 · b378e2b · b378e2b
2 parents 1e5ef72 + 6b9fa67
commit b378e2b
Show file tree

Hide file tree

Showing 36 changed files with 80,103 additions and 56 deletions.
diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket SSE Disabled",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
+  "descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id",
   "platform": "Ansible",
   "descriptionID": "4008dca4",

diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket SSE Disabled",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
+  "descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html",
   "platform": "CloudFormation",
   "descriptionID": "42fd2930",

diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego
@@ -19,6 +19,7 @@ CxPolicy[result] {
 
 haveLogs(stageName) {
 	log := input.document[i].resource.aws_cloudwatch_log_group[_]
-	regexPattern := sprintf("API-Gateway-Execution-Logs_\\${aws_api_gateway_rest_api\\.\\w+\\.id}/%s$", [stageName])	
+	stageName_escaped := replace(replace(stageName, "$", "\\$"), ".", "\\.")
+	regexPattern := sprintf("API-Gateway-Execution-Logs_\\${aws_api_gateway_rest_api\\.\\w+\\.id}/%s$", [stageName_escaped])
 	regex.match(regexPattern, log.name)
 }
diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/negative2.tf b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/negative2.tf
@@ -0,0 +1,20 @@
+module "env" {
+  source = "./env"
+}
+
+resource "aws_api_gateway_rest_api" "example" {
+  # ... other configuration ...
+}
+
+resource "aws_api_gateway_stage" "example" {
+  depends_on = [aws_cloudwatch_log_group.example]
+
+  stage_name = module.env.vars.stage_name
+  # ... other configuration ...
+}
+
+resource "aws_cloudwatch_log_group" "example" {
+  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${module.env.vars.stage_name}"
+  retention_in_days = 7
+  # ... potentially other configuration ...
+}
diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego
@@ -34,6 +34,10 @@ check_iam_ressource(statement) {
 	is_array(statement.Resource)
 	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)", statement.Resource[_])
 	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)", statement.Resource[_])
+} else {
+    is_array(statement.resources)
+    regex.match("(^aws_lambda_function\\.[^.]\\.arn:[*]$)", statement.resources[_])
+    regex.match("(^aws_lambda_function\\.[^.]\\.arn$)", statement.resources[_])
 }
 
 check_iam_action(statement) {

diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/negative3.tf b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/negative3.tf
@@ -0,0 +1,28 @@
+resource "aws_lambda_function" "negative3" {
+  function_name = "negative3"
+  role          = "negative3_role"
+}
+
+resource "aws_iam_policy" "negative3policy" {
+  name        = "negative3policy"
+  path        = "/"
+  description = "negative3 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "s3:*",
+        ]
+        Effect   = "Allow"
+        Resource = [
+            aws_lambda_function.negative3.arn,
+            "${aws_lambda_function.negative3.arn}:*"
+        ]
+      },
+    ]
+  })
+}
diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket SSE Disabled",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
+  "descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration",
   "platform": "Terraform",
   "descriptionID": "b386c506",

diff --git a/docs/architecture.md b/docs/architecture.md
@@ -37,9 +37,13 @@ The sequence diagram below depicts interaction of the main KICS components:
 
 ## Concurrent Scans
 
-KICS creates multiple services, each containing a unique parser. All the services will then concurrently generate a payload and run queries on it according to its containing parser. When a vulnerability is found, it is saved inside the Storage which is shared amongst all the services.
+KICS creates multiple services, each containing a unique parser. All the services will then concurrently generate a payload and run queries on it according to its containing parser. 
 
-- Paths => create services based on types of IaC files.
-- Service => contains a unique parser and shares other resources with other services
-- Start Scan => Services will concurrently create payloads based on its parser, inspect for vulnerabilities and save them on the shared storage
-- Results => when all services have finished their execution all the results will be gathered from the storage
+Concurrency exists on both the services representing each platform as well as the queries of each service. Each platform detected will run their queries concurrently with one another and the queries of each platform will themselves run concurrently using the number of workers passed on th. 
+
+When a vulnerability is found, it is saved inside the Storage which is shared amongst all the services.
+
+- Paths => create services based on types of IaC files;
+- Service => contains a unique parser and shares other resources with other services;
+- Start Scan => Services will concurrently create payloads based on its parser, inspect for vulnerabilities and save them on the shared storage;
+- Results => when all services have finished their execution all the results will be gathered from the storage.
diff --git a/docs/commands.md b/docs/commands.md
@@ -61,6 +61,7 @@ Use "kics [command] --help" for more information about a command.
 |      --no-progress                 |  hides the progress bar|
 |      --output-name string          |  name used on report creations (default "results")|
 |  -o, --output-path string          |  directory path to store reports|
+|      --parallel                    |  number of workers per platform enabled for parallel scanning, set 0 to auto-detect parallelism (default 1)|
 |  -p, --path strings                |  paths or directories to scan<br>example: "./somepath,somefile.txt"|
 |      --payload-lines               |  adds line information inside the payload when printing the payload file|
 |  -d, --payload-path string         |  path to store internal representation JSON file|

diff --git a/docs/running-kics.md b/docs/running-kics.md
@@ -33,10 +33,36 @@ Available archive formats:
 -   `xz`
 
 ```
-docker run -t -v {path_to_zip}:/path checkmarx/kics scan -p /path/{name_of_zip_file}
+To scan a zip file, we would use this instruction: 
+
+docker run -t -v "{path_to_folder_of_zip}:/path" checkmarx/kics:latest scan -p /path/{name_of_zip_file}
+
+-t: Docker command to allocate a pseudo-TTY.
+
+-v "{path_to_folder_of_zip}:/path": Mounts the directory containing the zip file to be scanned into the Docker container.
+
+checkmarx/kics:latest: Specifies the Docker image to use, which is the latest version of KICS available. 
+
+scan -p /path/{name_of_zip_file}: initiates a scan on the zip file we provided, considering it's folder path.
+```
+
 ```
+To scan a file named "Example", we would use this instruction: 
+
+docker run -t -v "{path_to_folder_of_file_Example}:/path" checkmarx/kics:latest scan -p /path/Example
+
+-t: Docker command to allocate a pseudo-TTY.
+
+-v "{path_to_folder_of_file_Example}:/path": Mounts the directory containing the file to be scanned into the Docker container.
+
+checkmarx/kics:latest: Specifies the Docker image to use, which is the latest version of KICS available. 
+
+scan -p /path/Example: initiates a scan on the "Example" file we provided, considering it's folder path.
+```
+
+More information on Docker CLI can be seen [here](https://docs.docker.com/engine/reference/commandline/cli/)   
 
-More information can be seen [here](https://github.com/hashicorp/go-getter#unarchiving)
+More information on Go getter can be seen [here](https://github.com/hashicorp/go-getter#unarchiving)   
 
 ### S3