Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release/1.30.0 to main #420

Merged
merged 13 commits into from
Dec 17, 2024
Merged

release/1.30.0 to main #420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
3b08a81
Merge pull request #410 from iriusrisk/main
dfernandezvigo Nov 19, 2024
ead4568
[BLAZ-886] Added semgrep rules for aws data
smaneroiriusrisk Nov 25, 2024
ceb09bd
[BLAZ-886] Fixed pipe
smaneroiriusrisk Nov 27, 2024
7875218
[BLAZ-973] Vulnerable python-multipart library version upgraded
dantolin-iriusrisk Dec 4, 2024
0654852
Merge branch 'dev' into feature/BLAZ-973
dantolin-iriusrisk Dec 5, 2024
74d08d2
Merge pull request #413 from iriusrisk/feature/BLAZ-973
smaneroiriusrisk Dec 5, 2024
b20db88
[BLAZ-886] Removed metrics from semgrep action
smaneroiriusrisk Dec 9, 2024
0d3c5ad
Merge branch 'dev' into feature/BLAZ-886
dantolin-iriusrisk Dec 9, 2024
f97fb83
Merge pull request #411 from iriusrisk/feature/BLAZ-886
dantolin-iriusrisk Dec 9, 2024
23288ce
[BLAZ-975] Size of name and tags controlled in trustzones, dataflows …
dantolin-iriusrisk Dec 9, 2024
afcdaed
[BLAZ-975] Dockerfile.application modified to pin C-related package v…
dantolin-iriusrisk Dec 10, 2024
acd20d9
[BLAZ-975] Used https to connect to alpine repos
dantolin-iriusrisk Dec 11, 2024
748e794
Merge pull request #419 from iriusrisk/bugfix/BLAZ-975
smaneroiriusrisk Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/semgrep.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
- uses: actions/checkout@v3

- id: semgrep
run: semgrep ci --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks -q --exclude="tests" --exclude="*/tests" --skip-unknown-extensions --suppress-errors
run: semgrep ci --metrics=off --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks --config .semgrep/rules/detected-aws-account-id-in-arn.yaml --config r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id --config r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key -q --skip-unknown-extensions --suppress-errors
continue-on-error: true

- name: Get branch name (pull request)
Expand Down
12 changes: 9 additions & 3 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,24 @@
repos:
- repo: https://github.com/returntocorp/semgrep
rev: 'v1.14.0'
rev: 'v1.89.0'
hooks:
- id: semgrep
exclude: "(.)*/tests|tests"
args: [
'--metrics=off',
'--config',
'p/owasp-top-ten',
'--config',
'p/cwe-top-25',
'--config',
'p/gitleaks',
'--config',
'r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id',
'--config',
'.semgrep/rules/detected-aws-account-id-in-arn.yaml',
'--config',
'r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key',
'--error',
'--skip-unknown-extensions',
'--exclude-rule=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text'
]
stages: [commit]
stages: [pre-commit]
28 changes: 28 additions & 0 deletions .semgrep/rules/detected-aws-account-id-in-arn.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
rules:
- id: detected-aws-account-id-in-arn
patterns:
- pattern-regex: ((?i:aws|arn)[^\d]+\d{12}[^\d]+)
- pattern-not-regex: 12345|00000
languages:
- regex
message: AWS Account ID detected in arn.
severity: ERROR
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
category: security
technology:
- secrets
- aws
confidence: LOW
owasp:
- A07:2021 - Identification and Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
5 changes: 3 additions & 2 deletions deployment/Dockerfile.application
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@ WORKDIR /usr/src/app

RUN apk update && \
apk upgrade && \
apk --no-cache add geos geos-dev git graphviz-dev lapack libmagic libstdc++ && \
apk --no-cache add --virtual .builddeps g++ gcc gfortran lapack-dev musl-dev py3-pybind11-dev re2 re2-dev
apk add --repository=https://dl-cdn.alpinelinux.org/alpine/v3.20/main --repository=https://dl-cdn.alpinelinux.org/alpine/v3.20/community \
g++~=13.2 gcc~=13.2 gfortran~=13.2 libgcc~=13.2 libstdc++~=13.2 && \
apk --no-cache add geos geos-dev git graphviz-dev lapack lapack-dev libmagic musl-dev py3-pybind11-dev re2 re2-dev

COPY . .

Expand Down
2 changes: 1 addition & 1 deletion docs/startleft-processors/iac/tf/Terraform-Quickstart.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ data "aws_ami" "ubuntu" {
values = ["hvm"]
}

owners = ["099720109477"] # Canonical
owners = ["123456789012"] # Canonical
}

resource "aws_instance" "web" {
Expand Down
12 changes: 6 additions & 6 deletions examples/tfplan/aws-ingesting-click-logs-using-terraform.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -927,7 +927,7 @@
"schema_version": 0,
"values": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2319,7 +2319,7 @@
"before": null,
"after": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2379,7 +2379,7 @@
"before": null,
"after": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2571,9 +2571,9 @@
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"account_id": "154977180039",
"arn": "arn:aws:iam::656177851052:user/someuser",
"id": "194477180039",
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789015:user/someuser",
"id": "123456789014",
"user_id": "ANYUSERID"
},
"sensitive_values": {}}, {
Expand Down
21 changes: 21 additions & 0 deletions otm/otm/entity/component.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
from otm.otm.entity.parent_type import ParentType
from otm.otm.entity.representation import RepresentationElement
from otm.otm.entity.threat import ThreatInstance
from sl_util.sl_util.str_utils import truncate


MAX_NAME_SIZE = 255
MAX_TAG_SIZE = 255


class Component:
Expand All @@ -19,6 +24,22 @@ def __init__(self, component_id, name, component_type=None, parent=None, parent_
self.threats: [ThreatInstance] = threats or []
self.representations: List[RepresentationElement] = representations

@property
def name(self):
return self._name

@name.setter
def name(self, value):
self._name = truncate(value, MAX_NAME_SIZE)

@property
def tags (self):
return self._tags

@tags.setter
def tags(self, value):
self._tags = [tag for tag in value if tag and len(tag) <= MAX_TAG_SIZE] if value else None

def add_threat(self, threat: ThreatInstance):
self.threats.append(threat)

Expand Down
23 changes: 23 additions & 0 deletions otm/otm/entity/dataflow.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
from sl_util.sl_util.str_utils import truncate


MAX_NAME_SIZE = 255
MAX_TAG_SIZE = 255


class Dataflow:
def __init__(self, dataflow_id, name, source_node, destination_node, bidirectional: bool = None,
source=None, attributes=None, tags=None):
Expand All @@ -10,6 +17,22 @@ def __init__(self, dataflow_id, name, source_node, destination_node, bidirection
self.attributes = attributes
self.tags = tags

@property
def name(self):
return self._name

@name.setter
def name(self, value):
self._name = truncate(value, MAX_NAME_SIZE)

@property
def tags (self):
return self._tags

@tags.setter
def tags(self, value):
self._tags = [tag for tag in value if tag and len(tag) <= MAX_TAG_SIZE] if value else None

def json(self):
json = {
"id": self.id,
Expand Down
12 changes: 12 additions & 0 deletions otm/otm/entity/trustzone.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
from otm.otm.entity.parent_type import ParentType
from sl_util.sl_util.str_utils import truncate


MAX_NAME_SIZE = 255


class Trustzone:
Expand All @@ -14,6 +18,14 @@ def __init__(self, trustzone_id, name, parent=None, parent_type: ParentType = No
self.trustrating = trustrating
self.representations = representations

@property
def name(self):
return self._name

@name.setter
def name(self, value):
self._name = truncate(value, MAX_NAME_SIZE)

def __eq__(self, other):
return type(other) == Trustzone and self.id == other.id

Expand Down
2 changes: 1 addition & 1 deletion setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
'python-hcl2==4.3.2',
'requests==2.32.3',
'fastapi>=0.115.2,<0.116.0',
'python-multipart==0.0.7',
'python-multipart==0.0.18',
'click==8.1.7',
'uvicorn==0.23.2',
'shapely==2.0.1',
Expand Down
3 changes: 3 additions & 0 deletions sl_util/sl_util/str_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,6 @@ def to_number(input, default_value: int = 0) -> int:
return w2n.word_to_num(input)
except ValueError:
return default_value

def truncate(s: str, max_length: int) -> str:
return s[:max_length] if s else s
2 changes: 1 addition & 1 deletion slp_cft/tests/resources/otm/otm_expected_result.otm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -368,7 +368,7 @@
]
},
{
"id": "c3b000fd-6108-403c-adee-282422171840",
"id": "c3b000fd-6108-403c-adee-123456789012",
"name": "VPCmonitoringSecurityGroup -> VPCmonitoring",
"source": "b61d6911-338d-46a8-9f39-8dcd24abfe91.customvpc",
"destination": "b61d6911-338d-46a8-9f39-8dcd24abfe91.customvpc.privatesubnet1.vpcmonitoring",
Expand Down
2 changes: 1 addition & 1 deletion slp_drawio/tests/unit/load/test_diagram_dataflow_loader.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ def test_load(self, get_dataflow_tags_wrapper):
assert diagram_dataflows[1].otm.name == 'pt2kyrPXSm7H56EBWWGj-8-dataflow'
assert diagram_dataflows[1].otm.source_node == 'pt2kyrPXSm7H56EBWWGj-7'
assert diagram_dataflows[1].otm.destination_node == 'pt2kyrPXSm7H56EBWWGj-7'
assert len(diagram_dataflows[1].otm.tags) == 0
assert not diagram_dataflows[1].otm.tags

# AND the method get_dataflow_tags has been called once for each dataflow
assert get_dataflow_tags_wrapper.call_count == len(diagram_dataflows)
2 changes: 1 addition & 1 deletion slp_tf/tests/resources/tf/calculate_modules/terraform_extra_modules_sample.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ module "db" {

data "aws_ami" "iriusrisk_ha" {
most_recent = true
owners = ["154977180039"]
owners = ["123456789012"]

filter {
name = "name"
Expand Down
16 changes: 11 additions & 5 deletions slp_tf/tests/resources/tf/mapping_functions/aws_singleton_components_unix_line_breaks.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,20 +40,22 @@ resource "aws_acm_certificate" "acm_certificate" {
resource "aws_kms_key" "kms_key" {
description = "KMS key 1"
deletion_window_in_days = 10
enable_key_rotation = true
}

resource "aws_cloudwatch_log_group" "cloudwatch_log_group_1" {
name = "Yada"

retention_in_days = 14
tags = {
Environment = "production"
Application = "serviceA"
}

}

resource "aws_cloudwatch_log_group" "cloudwatch_log_group_2" {
name = "Yada"

retention_in_days = 14
tags = {
Environment = "production"
Application = "serviceA"
Expand Down Expand Up @@ -140,7 +142,7 @@ resource "aws_mq_broker" "mq_broker" {

user {
username = "ExampleUser"
password = "MindTheGap"
password = "******"
}
}

Expand Down Expand Up @@ -190,6 +192,7 @@ resource "aws_config_configuration_recorder" "config_configuration_recorder" {

resource "aws_ecr_repository" "ecr_repository" {
name = "bar"
image_tag_mutability = "IMMUTABLE"
}

resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
Expand Down Expand Up @@ -293,9 +296,9 @@ resource "aws_sns_topic" "sns_topic" {
}

resource "aws_sns_topic_subscription" "sns_topic_subscription" {
topic_arn = "arn:aws:sns:us-west-2:432981146916:user-updates-topic"
topic_arn = "arn:aws:sns:us-west-2:123456789012:user-updates-topic"
protocol = "sqs"
endpoint = "arn:aws:sqs:us-west-2:432981146916:terraform-queue-too"
endpoint = "arn:aws:sqs:us-west-2:123456789012:terraform-queue-too"
}

resource "aws_waf_ipset" "waf_ipset" {
Expand Down Expand Up @@ -392,6 +395,9 @@ resource "aws_kinesis_analytics_application" "kinesis_analytics_application_2" {
resource "aws_kinesis_stream" "kinesis_stream" {
name = "example-stream"
shard_count = 1
encryption_type = "KMS"
kms_key_id = "example-kms-key-id"

}

resource "aws_kinesis_stream_consumer" "kinesis_stream_consumer" {
Expand Down
2 changes: 1 addition & 1 deletion slp_tf/tests/resources/tf/terraform_main_referenced_variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ resource "aws_security_group" "webserver" {

data "aws_ami" "iriusrisk_ha" {
most_recent = true
owners = ["154977180039"]
owners = ["123456789012"]

filter {
name = "name"
Expand Down
4 changes: 2 additions & 2 deletions slp_tf/tests/resources/tf/terraform_variables_files_referenced_variables.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ iriusrisk_version = "4.5.1"
startleft_version = "startleft"
type = "internal"
bastion_host_cidrs = ["52.30.97.44/32"]
certificate_arn = "arn:aws:iam::154977180039:server-certificate/wildcard-iriusrisk-com-until-25-oct-2022"
iam_instance_profile_arn = "arn:aws:iam::154977180039:instance-profile/myManagedInstanceRoleforSSM"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/example-certificate"
iam_instance_profile_arn = "arn:aws:iam::123456789012:instance-profile/myManagedInstanceRoleforSSM"

## vpc
vpc_cidr = "10.0.0.0/16"
Expand Down
12 changes: 6 additions & 6 deletions slp_tfplan/tests/resources/tfplan/official-tfplan.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -927,7 +927,7 @@
"schema_version": 0,
"values": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2319,7 +2319,7 @@
"before": null,
"after": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2379,7 +2379,7 @@
"before": null,
"after": {
"acl": "private",
"bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
"bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
"bucket_prefix": null,
"force_destroy": false,
"tags": {
Expand Down Expand Up @@ -2571,9 +2571,9 @@
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"account_id": "154977180039",
"arn": "arn:aws:iam::656177851052:user/someuser",
"id": "194477180039",
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789012:user/someuser",
"id": "123456789012",
"user_id": "ANYUSERID"
},
"sensitive_values": {}}, {
Expand Down
4 changes: 2 additions & 2 deletions slp_tfplan/tests/unit/map/test_tfplan_mapper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,8 @@ def test_mapping_by_type(self):

@mark.parametrize('regex,resource_type', [
param(r'^aws_\w*$','aws_vpc', id='aws_vpc'),
param(r'^a+$','a'*256, id='long_string'),
param(r'^(a+)+$','a'*256, id='redos_attack'),
param(r'^a+$','a'*255, id='long_string'),
param(r'^(a+)+$','a'*255, id='redos_attack'),
])
def test_mapping_by_regex(self,regex,resource_type:str):
# GIVEN a resource of some TF type
Expand Down
Loading
Loading