Merge branch 'main' into BCE-24535-python-CDK-policies

bridgecrewio · Nov 2, 2023 · 349aae4 · 349aae4
2 parents d9ec616 + 2fdb6f8
commit 349aae4
Show file tree

Hide file tree

Showing 89 changed files with 3,681 additions and 2,328 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -52,7 +52,7 @@ jobs:
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4
         with:
           python-version: ${{ matrix.python }}
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d  # v3
+      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v3
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -103,16 +103,16 @@ jobs:
       - name: Install pipenv
         run: |
           python -m pip install --no-cache-dir --upgrade pipenv
-      - name: Clone Terragoat - vulnerable terraform
-        run: git clone https://github.com/bridgecrewio/terragoat
       - name: Build & install checkov package
         run: |
           # remove venv, if exists
           pipenv --rm || true
           pipenv --python ${{ env.PYTHON_VERSION }}
           pipenv run pip install pytest pytest-xdist
           pipenv run python setup.py sdist bdist_wheel
-          pipenv run pip install dist/checkov-*.whl
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone Terragoat - vulnerable terraform
+        run: git clone https://github.com/bridgecrewio/terragoat
       - name: Run checkov with Prisma creds
         env:
           PRISMA_KEY: ${{ secrets.PRISMA_KEY }}
@@ -121,6 +121,44 @@ jobs:
           pipenv run checkov -s -d terragoat --bc-api-key "$PRISMA_KEY" --repo-id yuvalyacoby/terragoat > checkov_report_prisma.txt
           grep "prismacloud.io" checkov_report_prisma.txt
           exit $?
+  sast-integration-tests:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.11"]
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    continue-on-error: true # for now it is ok to fail
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4
+        with:
+          python-version: ${{ matrix.python }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.BC_API_KEY }}
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        run: |
+          pipenv run pytest sast_integration_tests
   unit-tests:
     timeout-minutes: 30
     runs-on: ubuntu-latest
@@ -154,7 +192,7 @@ jobs:
         run: |
           pipenv run python -m pytest tests
   bump-version:
-    needs: [integration-tests, unit-tests, prisma-tests]
+    needs: [integration-tests, unit-tests, prisma-tests] # add 'sast-integration-tests' when ready
     runs-on: [self-hosted, public, linux, x64]
     environment: release
     permissions:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -54,12 +54,12 @@ jobs:
           pipenv lock -r > requirements.txt
           pip install -r requirements.txt
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80  # v2
+        uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99  # v2
         with:
           languages: python
           setup-python-dependencies: false
           config-file: ./.github/codeql-config.yml
       - name: Autobuild
-        uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80  # v2
+        uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99  # v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80  # v2
+        uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99  # v2
diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - name: Install Node.js
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d  # v3
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v4
         with:
           node-version: "16"
       - name: Install and run DangerJS
@@ -104,7 +104,7 @@ jobs:
           python-version: ${{ matrix.python }}
           cache: "pipenv"
           cache-dependency-path: "Pipfile.lock"
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d  # v3
+      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v4
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -156,7 +156,6 @@ jobs:
           python-version: ${{ matrix.python }}
           cache: "pipenv"
           cache-dependency-path: "Pipfile.lock"
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d  # v3
       - name: Install pipenv
         run: |
           python -m pip install --no-cache-dir --upgrade pipenv
@@ -202,7 +201,6 @@ jobs:
           python-version: ${{ matrix.python }}
           cache: "pipenv"
           cache-dependency-path: "Pipfile.lock"
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d  # v3
       - name: Install pipenv
         run: |
           python -m pip install --no-cache-dir --upgrade pipenv
@@ -240,7 +238,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "pipenv"
           cache-dependency-path: "Pipfile.lock"
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d  # v3
+      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v4
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -18,7 +18,7 @@ repos:
       - id: teyit
         language_version: python3.9
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.6.25
+    rev: v1.6.26
     hooks:
       - id: actionlint-docker
         # SC2129 - Consider using { cmd1; cmd2; } >> file instead of individual redirects.
@@ -33,7 +33,7 @@ repos:
         additional_dependencies:
           - vistir<0.7.0  # can be removed, when v4.0.0 of pipenv-setup comes out
   - repo: https://github.com/seddonym/import-linter  # checks the import dependencies between each other
-    rev: v1.12.0
+    rev: v1.12.1
     hooks:
       - id: import-linter
         language_version: python3.9

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,31 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.12...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.16...HEAD)
+
+## [3.0.16](https://github.com/bridgecrewio/checkov/compare/3.0.15...3.0.16) - 2023-11-01
+
+### Feature
+
+- **sca:** Extending reachability post-runner in checkov and enriching cves with ReachableFunction data - [#5707](https://github.com/bridgecrewio/checkov/pull/5707)
+
+## [3.0.15](https://github.com/bridgecrewio/checkov/compare/3.0.14...3.0.15) - 2023-10-31
+
+### Bug Fix
+
+- **general:** fix duplicate components in CycloneDX report - [#5705](https://github.com/bridgecrewio/checkov/pull/5705)
+
+## [3.0.14](https://github.com/bridgecrewio/checkov/compare/3.0.13...3.0.14) - 2023-10-30
+
+### Bug Fix
+
+- **general:** address python 3.12 SyntaxWarning - [#5699](https://github.com/bridgecrewio/checkov/pull/5699)
+- **terraform:** fix variable rendering for foreach resources with dot included names - [#5701](https://github.com/bridgecrewio/checkov/pull/5701)
+
+## [3.0.13](https://github.com/bridgecrewio/checkov/compare/3.0.12...3.0.13) - 2023-10-29
+
+### Bug Fix
+
+- **sast:** comment out SAST JS integration test - [#5697](https://github.com/bridgecrewio/checkov/pull/5697)
 
 ## [3.0.12](https://github.com/bridgecrewio/checkov/compare/3.0.7...3.0.12) - 2023-10-26
 

diff --git a/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py b/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py
@@ -1,16 +1,20 @@
+from __future__ import annotations
+
+from typing import Any
+
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_parameter_check import BaseParameterCheck
 
 
 class SecureStringParameterNoHardcodedValue(BaseParameterCheck):
-    def __init__(self):
+    def __init__(self) -> None:
         name = "SecureString parameter should not have hardcoded default values"
         id = "CKV_AZURE_131"
-        supported_resources = ['secureString']
-        categories = [CheckCategories.SECRETS]
+        supported_resources = ('secureString',)
+        categories = (CheckCategories.SECRETS,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def scan_resource_conf(self, conf):
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         # https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/test-cases#secure-parameters-cant-have-hardcoded-default
         default_value = conf.get('defaultValue')
         if default_value:  # should be missing, or an empty string

diff --git a/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py b/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py
@@ -1,21 +1,28 @@
+from typing import Any
+
 from checkov.common.models.consts import ANY_VALUE
 from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.arm.base_resource_value_check import BaseResourceValueCheck
 
 
 class APIServicesUseVirtualNetwork(BaseResourceValueCheck):
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Ensure that API management services use virtual networks"
         id = "CKV_AZURE_107"
-        supported_resources = ['Microsoft.ApiManagement/service']
-        categories = [CheckCategories.NETWORKING]
-        super().__init__(name=name, id=id, categories=categories,
-                         supported_resources=supported_resources, missing_block_result=CheckResult.FAILED)
+        supported_resources = ("Microsoft.ApiManagement/service",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+            missing_block_result=CheckResult.FAILED,
+        )
 
-    def get_inspected_key(self):
+    def get_inspected_key(self) -> str:
         return "properties/virtualNetworkConfiguration"
 
-    def get_expected_value(self):
+    def get_expected_value(self) -> Any:
         return ANY_VALUE
 
 

diff --git a/checkov/arm/checks/resource/AppServiceHttps20Enabled.py b/checkov/arm/checks/resource/AppServiceHttps20Enabled.py
@@ -1,24 +1,23 @@
-from checkov.common.models.enums import CheckResult, CheckCategories
-from checkov.arm.base_resource_check import BaseResourceCheck
+from typing import Any
 
-# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
 
 
-class AppServiceHttps20Enabled(BaseResourceCheck):
-    def __init__(self):
+class AppServiceHttps20Enabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
         name = "Ensure that 'HTTP Version' is the latest if used to run the web app"
         id = "CKV_AZURE_18"
-        supported_resources = ["Microsoft.Web/sites"]
-        categories = [CheckCategories.NETWORKING]
+        supported_resources = ("Microsoft.Web/sites",)
+        categories = (CheckCategories.NETWORKING,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def scan_resource_conf(self, conf):
-        properties = conf.get("properties")
-        if isinstance(properties, dict):
-            site_config = properties.get("siteConfig")
-            if isinstance(site_config, dict) and site_config.get("http20Enabled"):
-                return CheckResult.PASSED
-        return CheckResult.FAILED
+    def get_inspected_key(self) -> str:
+        # https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites
+        return "properties/siteConfig/http20Enabled"
+
+    def get_expected_value(self) -> Any:
+        return "true"
 
 
 check = AppServiceHttps20Enabled()
diff --git a/checkov/arm/checks/resource/AppServiceMinTLSVersion.py b/checkov/arm/checks/resource/AppServiceMinTLSVersion.py
@@ -1,24 +1,23 @@
-from checkov.common.models.enums import CheckResult, CheckCategories
-from checkov.arm.base_resource_check import BaseResourceCheck
+from typing import Any
 
-# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
 
 
-class AppServiceMinTLSVersion(BaseResourceCheck):
-    def __init__(self):
+class AppServiceMinTLSVersion(BaseResourceValueCheck):
+    def __init__(self) -> None:
         name = "Ensure web app is using the latest version of TLS encryption"
         id = "CKV_AZURE_15"
-        supported_resources = ["Microsoft.Web/sites"]
-        categories = [CheckCategories.NETWORKING]
+        supported_resources = ("Microsoft.Web/sites",)
+        categories = (CheckCategories.NETWORKING,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def scan_resource_conf(self, conf):
-        properties = conf.get("properties")
-        if isinstance(properties, dict):
-            site_config = properties.get("siteConfig")
-            if isinstance(site_config, dict) and site_config.get("minTlsVersion") == "1.2":
-                return CheckResult.PASSED
-        return CheckResult.FAILED
+    def get_inspected_key(self) -> str:
+        # https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites
+        return "properties/siteConfig/minTlsVersion"
+
+    def get_expected_value(self) -> Any:
+        return "1.2"
 
 
 check = AppServiceMinTLSVersion()
diff --git a/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py b/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py
@@ -1,21 +1,25 @@
+from typing import Any
+
 from checkov.common.models.consts import ANY_VALUE
 from checkov.common.models.enums import CheckCategories
 from checkov.arm.base_resource_value_check import BaseResourceValueCheck
 
 
 class AzureManagedDiskEncryptionSet(BaseResourceValueCheck):
-    def __init__(self):
-        name = "Ensure that managed disks use a specific set of disk encryption sets for the " \
-               "customer-managed key encryption"
+    def __init__(self) -> None:
+        name = (
+            "Ensure that managed disks use a specific set of disk encryption sets for the "
+            "customer-managed key encryption"
+        )
         id = "CKV_AZURE_93"
-        supported_resources = ['Microsoft.Compute/disks']
-        categories = [CheckCategories.ENCRYPTION]
+        supported_resources = ("Microsoft.Compute/disks",)
+        categories = (CheckCategories.ENCRYPTION,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def get_inspected_key(self):
-        return 'properties/encryption/diskEncryptionSetId'
+    def get_inspected_key(self) -> str:
+        return "properties/encryption/diskEncryptionSetId"
 
-    def get_expected_value(self):
+    def get_expected_value(self) -> Any:
         return ANY_VALUE
 
 

diff --git a/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py b/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py
@@ -1,19 +1,21 @@
+from typing import Any
+
 from checkov.common.models.enums import CheckCategories
 from checkov.arm.base_resource_value_check import BaseResourceValueCheck
 
 
 class CognitiveServicesDisablesPublicNetwork(BaseResourceValueCheck):
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Ensure that Cognitive Services accounts disable public network access"
         id = "CKV_AZURE_134"
-        supported_resources = ['Microsoft.CognitiveServices/accounts']
-        categories = [CheckCategories.NETWORKING]
+        supported_resources = ("Microsoft.CognitiveServices/accounts",)
+        categories = (CheckCategories.NETWORKING,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def get_inspected_key(self):
-        return 'properties/publicNetworkAccess'
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
 
-    def get_expected_value(self):
+    def get_expected_value(self) -> Any:
         return "Disabled"