feat(query): Add SSL Enforement query

GeekMasher · GeekMasher · commit 492325db0c64 · 2025-06-11T11:24:30.000+01:00
diff --git a/ql/src/security/CWE-319/SslEnforement.md b/ql/src/security/CWE-319/SslEnforement.md
@@ -0,0 +1,29 @@
+# SSL / TLS not Enforced
+
+This query detects Azure database resources that have SSL/TLS enforcement disabled. Disabling SSL/TLS enforcement can expose sensitive data to interception and man-in-the-middle attacks, as connections to the database may be established without encryption. It is a security best practice to always require SSL/TLS for database connections to ensure data in transit is protected.
+
+## Bad Example: SSL Enforcement Disabled
+
+```bicep
+resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'mydbserver'
+  location: 'eastus'
+  properties: {
+    version: '12.0'
+    sslEnforcement: 'Disabled' // BAD: SSL enforcement is disabled
+  }
+}
+```
+
+## Good Example: SSL Enforcement Enabled
+
+```bicep
+resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'mydbserver'
+  location: 'eastus'
+  properties: {
+    version: '12.0'
+    sslEnforcement: 'Enabled' // GOOD: SSL enforcement is enabled
+  }
+}
+```
diff --git a/ql/src/security/CWE-319/SslEnforement.ql b/ql/src/security/CWE-319/SslEnforement.ql
@@ -0,0 +1,22 @@
+/**
+ * @name SSL / TLS not Enforced
+ * @description SSL / TLS should be enforced on resources to ensure secure communication.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 6.0
+ * @precision high
+ * @id bicep/ssl-enforcement-disabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       cryptography
+ */
+
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Databases::Databases
+
+from DatabaseResource db
+where db.sslEnforcement() = "Disabled"
+select db.getSslEnforcement(),
+  "SSL / TLS is not enforced on the database resource '" + db.getName() + "'."
diff --git a/ql/test/queries-tests/security/CWE-319/SslEnforement/SslEnforement.expected b/ql/test/queries-tests/security/CWE-319/SslEnforement/SslEnforement.expected
@@ -0,0 +1 @@
+| app.bicep:19:21:19:30 | String | SSL / TLS is not enforced on the database resource 'publicdbserver'. |
diff --git a/ql/test/queries-tests/security/CWE-319/SslEnforement/SslEnforement.qlref b/ql/test/queries-tests/security/CWE-319/SslEnforement/SslEnforement.qlref
@@ -0,0 +1 @@
+security/CWE-319/SslEnforement.ql
diff --git a/ql/test/queries-tests/security/CWE-319/SslEnforement/app.bicep b/ql/test/queries-tests/security/CWE-319/SslEnforement/app.bicep
@@ -0,0 +1,21 @@
+
+// Secure
+resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'securetlsdb'
+  location: 'eastus'
+  properties: {
+    sslEnforcement: 'Enabled'   // GOOD: Enforced
+  }
+}
+
+// Bad
+resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'publicdbserver'
+  location: 'eastus'
+  properties: {
+    version: '12.0'
+    publicNetworkAccess: 'Enabled' // BAD: Database is publicly accessible
+    minimalTlsVersion: '1.0' // BAD: Weak TLS version
+    sslEnforcement: 'Disabled' // BAD: SSL enforcement is disabled
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| app.bicep:19:21:19:30 \| String \| SSL / TLS is not enforced on the database resource 'publicdbserver'. \|`