feat(arm): implement CKV_AZURE_80 in arm

bridgecrewio · Aug 22, 2023 · 0924c6e · 0924c6e
1 parent 83f6981
commit 0924c6e
Show file tree

Hide file tree

Showing 7 changed files with 633 additions and 9 deletions.
diff --git a/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py b/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServiceDotnetFrameworkVersion(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that 'Net Framework' version is the latest, if used as a part of the web app"
+        id = "CKV_AZURE_80"
+        supported_resources = ['Microsoft.Web/sites/config']
+        categories = [CheckCategories.GENERAL_SECURITY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/netFrameworkVersion"
+
+    def get_expected_value(self):
+        return "v7.0"
+
+
+check = AppServiceDotnetFrameworkVersion()
diff --git a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py
@@ -1,21 +1,36 @@
 from checkov.common.models.enums import CheckCategories, CheckResult
-from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
 
 
-class AppServiceDotnetFrameworkVersion(BaseResourceValueCheck):
+class AppServiceDotnetFrameworkVersion(BaseResourceCheck):
     def __init__(self):
         name = "Ensure that 'Net Framework' version is the latest, if used as a part of the web app"
         id = "CKV_AZURE_80"
-        supported_resources = ['azurerm_app_service']
+        supported_resources = ['azurerm_app_service', 'azurerm_windows_web_app']
         categories = [CheckCategories.GENERAL_SECURITY]
-        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
-                         missing_block_result=CheckResult.UNKNOWN)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def get_inspected_key(self):
-        return "site_config/0/dotnet_framework_version"
+    def scan_resource_conf(self, conf):
+        if conf.get('site_config') and isinstance(conf.get('site_config'), list):
+            site_config = conf.get('site_config')[0]
+            if site_config.get('dotnet_framework_version') and isinstance(site_config.get('dotnet_framework_version'), list):
+                if site_config.get('dotnet_framework_version')[0] == "v6.0":
+                    return CheckResult.PASSED
+                return CheckResult.FAILED
+            if site_config.get('application_stack') and isinstance(site_config.get('application_stack'), list):
+                stack = site_config.get('application_stack')[0]
+                if stack.get('dotnet_version') and isinstance(stack.get('dotnet_version'), list):
+                    if stack.get('dotnet_version')[0] == "v7.0":
+                        return CheckResult.PASSED
+                    return CheckResult.FAILED
 
-    def get_expected_value(self):
-        return "v6.0"
+        return CheckResult.UNKNOWN
+
+    # def get_inspected_key(self):
+    #     return "site_config/0/dotnet_framework_version"
+
+    def get_expected_values(self):
+        return ["v6.0", "v7.0"]
 
 
 check = AppServiceDotnetFrameworkVersion()
diff --git a/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/failed.json b/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/failed.json
@@ -0,0 +1,199 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "sites_pike_name": {
+            "defaultValue": "pike",
+            "type": "String"
+        },
+        "serverfarms_example_serviceplan_externalid": {
+            "defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.Web/serverfarms/example-serviceplan",
+            "type": "String"
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2022-09-01",
+            "name": "[parameters('sites_pike_name')]",
+            "location": "UK South",
+            "kind": "app",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "enabled": true,
+                "hostNameSslStates": [
+                    {
+                        "name": "[concat(parameters('sites_pike_name'), '.azurewebsites.net')]",
+                        "sslState": "Disabled",
+                        "hostType": "Standard"
+                    },
+                    {
+                        "name": "[concat(parameters('sites_pike_name'), '.scm.azurewebsites.net')]",
+                        "sslState": "Disabled",
+                        "hostType": "Repository"
+                    }
+                ],
+                "serverFarmId": "[parameters('serverfarms_example_serviceplan_externalid')]",
+                "reserved": false,
+                "isXenon": false,
+                "hyperV": false,
+                "vnetRouteAllEnabled": false,
+                "vnetImagePullEnabled": false,
+                "vnetContentShareEnabled": false,
+                "siteConfig": {
+                    "numberOfWorkers": 1,
+                    "acrUseManagedIdentityCreds": false,
+                    "alwaysOn": true,
+                    "http20Enabled": true,
+                    "functionAppScaleLimit": 0,
+                    "minimumElasticInstanceCount": 0
+                },
+                "scmSiteAlsoStopped": false,
+                "clientAffinityEnabled": false,
+                "clientCertEnabled": true,
+                "clientCertMode": "Required",
+                "hostNamesDisabled": false,
+                "customDomainVerificationId": "B37B5768F8409B36E596577BDBC882653FCC6A7FD697EBEE151AB7C532C897E5",
+                "containerSize": 0,
+                "dailyMemoryTimeQuota": 0,
+                "httpsOnly": true,
+                "redundancyMode": "None",
+                "publicNetworkAccess": "Enabled",
+                "storageAccountRequired": false,
+                "keyVaultReferenceIdentity": "SystemAssigned"
+            }
+        },
+        {
+            "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies",
+            "apiVersion": "2022-09-01",
+            "name": "[concat(parameters('sites_pike_name'), '/ftp')]",
+            "location": "UK South",
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]"
+            ],
+            "properties": {
+                "allow": true
+            }
+        },
+        {
+            "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies",
+            "apiVersion": "2022-09-01",
+            "name": "[concat(parameters('sites_pike_name'), '/scm')]",
+            "location": "UK South",
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]"
+            ],
+            "properties": {
+                "allow": true
+            }
+        },
+        {
+            "type": "Microsoft.Web/sites/config",
+            "apiVersion": "2022-09-01",
+            "name": "failed",
+            "location": "UK South",
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]"
+            ],
+            "properties": {
+                "numberOfWorkers": 1,
+                "defaultDocuments": [
+                    "Default.htm",
+                    "Default.html",
+                    "Default.asp",
+                    "index.htm",
+                    "index.html",
+                    "iisstart.htm",
+                    "default.aspx",
+                    "index.php",
+                    "hostingstart.html"
+                ],
+                "netFrameworkVersion": "v5.0",
+                "phpVersion": "5.6",
+                "requestTracingEnabled": true,
+                "requestTracingExpirationTime": "9999-12-31T23:59:00Z",
+                "remoteDebuggingEnabled": false,
+                "remoteDebuggingVersion": "VS2019",
+                "httpLoggingEnabled": true,
+                "acrUseManagedIdentityCreds": false,
+                "logsDirectorySizeLimit": 25,
+                "detailedErrorLoggingEnabled": true,
+                "publishingUsername": "$pike",
+                "scmType": "None",
+                "use32BitWorkerProcess": true,
+                "webSocketsEnabled": false,
+                "alwaysOn": true,
+                "managedPipelineMode": "Integrated",
+                "virtualApplications": [
+                    {
+                        "virtualPath": "/",
+                        "physicalPath": "site\\wwwroot",
+                        "preloadEnabled": true
+                    }
+                ],
+                "loadBalancing": "LeastRequests",
+                "experiments": {
+                    "rampUpRules": []
+                },
+                "autoHealEnabled": false,
+                "vnetRouteAllEnabled": false,
+                "vnetPrivatePortsCount": 0,
+                "publicNetworkAccess": "Enabled",
+                "localMySqlEnabled": false,
+                "managedServiceIdentityId": 24556,
+                "ipSecurityRestrictions": [
+                    {
+                        "ipAddress": "Any",
+                        "action": "Allow",
+                        "priority": 2147483647,
+                        "name": "Allow all",
+                        "description": "Allow all access"
+                    }
+                ],
+                "scmIpSecurityRestrictions": [
+                    {
+                        "ipAddress": "Any",
+                        "action": "Allow",
+                        "priority": 2147483647,
+                        "name": "Allow all",
+                        "description": "Allow all access"
+                    }
+                ],
+                "scmIpSecurityRestrictionsUseMain": false,
+                "http20Enabled": true,
+                "minTlsVersion": "1.2",
+                "scmMinTlsVersion": "1.2",
+                "ftpsState": "FtpsOnly",
+                "preWarmedInstanceCount": 0,
+                "elasticWebAppScaleLimit": 0,
+                "healthCheckPath": "/health",
+                "functionsRuntimeScaleMonitoringEnabled": false,
+                "minimumElasticInstanceCount": 0,
+                "azureStorageAccounts": {
+                    "shady": {
+                        "type": "AzureFiles",
+                        "accountName": "piketest",
+                        "shareName": "pike",
+                        "mountPath": "\\\\mounts\\shady"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Web/sites/hostNameBindings",
+            "apiVersion": "2022-09-01",
+            "name": "[concat(parameters('sites_pike_name'), '/', parameters('sites_pike_name'), '.azurewebsites.net')]",
+            "location": "UK South",
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]"
+            ],
+            "properties": {
+                "siteName": "pike",
+                "hostNameType": "Verified"
+            }
+        }
+    ]
+}