Merge pull request #6700 from Checkmarx/kics-1035-logging

feat(query): ansible playbooks Logging of Sensitive Data

assets/queries/ansible/general/logging_of_sensitive_data/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "59029ddf-e651-412b-ae7b-ff6d403184bc",
+    "queryName": "Logging of Sensitive Data",
+    "severity": "LOW",
+    "category": "Best Practices",
+    "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True",
+    "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-log-password/",
+    "platform": "Ansible",
+    "descriptionID": "a700e724",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/general/logging_of_sensitive_data/query.rego

@@ -0,0 +1,42 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as commonLib
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+
+	not commonLib.valid_key(task, "no_log")
+
+	action := task["ansible.builtin.user"]
+	commonLib.valid_key(action, "password")
+
+	result := {
+		"documentId": id,
+		"resourceName": task.name,
+		"resourceType": "ansible.builtin.user",
+		"searchKey": sprintf("name={{%s}}", [task.name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data",
+		"keyActualValue": "'no_log' is not defined",
+	}
+}
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+
+	task.no_log == false
+
+	action := task["ansible.builtin.user"]
+	commonLib.valid_key(action, "password")
+
+	result := {
+		"documentId": id,
+		"resourceName": task.name,
+		"resourceType": "ansible.builtin.user",
+		"searchKey": sprintf("name={{%s}}.no_log", [task.name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data",
+		"keyActualValue": "'no_log' is set to false",
+	}
+}

assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml

@@ -0,0 +1,41 @@
+---
+- name: Negative playbook
+  hosts: localhost
+  tasks:
+    - name: foo
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+        password: "{{ item }}"
+      with_items:
+        - wow
+      no_log: true
+
+---
+- name: Negative Playbook 2
+  hosts: localhost
+  tasks:
+    - name: bar
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+      with_items:
+        - wow
+      no_log: false
+
+---
+- name: Negative Playbook 3
+  hosts: localhost
+  tasks:
+    - name: bar
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+      with_items:
+        - wow

assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml

@@ -0,0 +1,14 @@
+---
+- name: Positive Playbook
+  hosts: localhost
+  tasks:
+    - name: bar
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+        password: "{{ item }}"
+      with_items:
+        - wow
+      no_log: false

assets/queries/ansible/general/logging_of_sensitive_data/test/positive2.yaml

@@ -0,0 +1,13 @@
+---
+- name: Positive Playbook
+  hosts: localhost
+  tasks:
+    - name: bar
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+        password: "{{ item }}"
+      with_items:
+        - wow

assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Logging of Sensitive Data",
+		"severity": "LOW",
+		"line": 14,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Logging of Sensitive Data",
+		"severity": "LOW",
+		"line": 5,
+		"fileName": "positive2.yaml"
+	}
+]