fix conflicts

.github/exclude-patterns.txt

@@ -34,3 +34,4 @@ tests/terraform/runner/tf_plan_skip_check_regex/resource/.*
 tests/terraform/runner/tfplan2.json
 .*Scans.md
 .*Pipfile.lock
+cdk_integration_tests/src/python

CHANGELOG.md

@@ -1,6 +1,31 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.16...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.21...HEAD)
+
+## [3.0.21](https://github.com/bridgecrewio/checkov/compare/3.0.19...3.0.21) - 2023-11-05
+
+### Feature
+
+- **terraform:** Ensure App Service Environment is zone redundant - [#5662](https://github.com/bridgecrewio/checkov/pull/5662)
+- **terraform:** Ensure that Standard Replication is enabled - [#5649](https://github.com/bridgecrewio/checkov/pull/5649)
+
+### Bug Fix
+
+- **sca:** Setting only relevant cves for the extracted reachable functions with risk factor of ReachableFunction as True - [#5715](https://github.com/bridgecrewio/checkov/pull/5715)
+- **terraform:** CKV_AWS_208 valid Amazon MQ versions - [#5653](https://github.com/bridgecrewio/checkov/pull/5653)
+
+## [3.0.19](https://github.com/bridgecrewio/checkov/compare/3.0.16...3.0.19) - 2023-11-02
+
+### Feature
+
+- **sca:** adjusting the cli-output to support indicating of reachable functions  - [#5713](https://github.com/bridgecrewio/checkov/pull/5713)
+- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5637](https://github.com/bridgecrewio/checkov/pull/5637)
+- **terraform:** bigtable deletion protection [depends on #5625] - [#5626](https://github.com/bridgecrewio/checkov/pull/5626)
+- **terraform:** drop and deletion checks for spanner - [#5625](https://github.com/bridgecrewio/checkov/pull/5625)
+
+### Bug Fix
+
+- **sast:** add cveid to reachability report - [#5708](https://github.com/bridgecrewio/checkov/pull/5708)
 
 ## [3.0.16](https://github.com/bridgecrewio/checkov/compare/3.0.15...3.0.16) - 2023-11-01
 

cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py

@@ -12,7 +12,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             "MyDocDBCluster",
             db_cluster_identifier="my-docdb-cluster",
             master_username="admin",
-            master_user_password="mypassword",
+            master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             availability_zones=["us-east-1a", "us-east-1b"],  # Specify the availability zones
             port=27017,  # Specify the port as needed
         )

cdk_integration_tests/src/python/DocDBEncryption/pass.py

@@ -12,7 +12,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             "MyDocDBCluster",
             db_cluster_identifier="my-docdb-cluster",
             master_username="admin",
-            master_user_password="mypassword",
+            master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             storage_encrypted=True,  # Enable storage encryption
             availability_zones=["us-east-1a", "us-east-1b"],  # Specify the availability zones
             port=27017,  # Specify the port as needed

cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py

@@ -13,7 +13,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             engine="neptune",
             db_cluster_identifier="my-neptune-cluster",
             master_username="admin",
-            master_user_password="mypassword",
+            master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             storage_encrypted=False,  # Enable storage encryption
             port=8182,  # Specify the port as needed
             availability_zones=["us-east-1a", "us-east-1b"],  # Specify the availability zones
@@ -31,7 +31,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             engine=neptune.DatabaseClusterEngine.NEPTUNE,
             master_user=neptune.Login(
                 username="admin",
-                password="mypassword",
+                password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             ),
             default_database_name="mydb",
             removal_policy=core.RemovalPolicy.DESTROY,  # Set the removal policy as needed

cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py

@@ -13,7 +13,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             engine="neptune",
             db_cluster_identifier="my-neptune-cluster",
             master_username="admin",
-            master_user_password="mypassword",
+            master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             storage_encrypted=True,  # Enable storage encryption
             port=8182,  # Specify the port as needed
             availability_zones=["us-east-1a", "us-east-1b"],  # Specify the availability zones
@@ -31,7 +31,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             engine=neptune.DatabaseClusterEngine.NEPTUNE,
             master_user=neptune.Login(
                 username="admin",
-                password="mypassword",
+                password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             ),
             default_database_name="mydb",
             storage_encrypted=True,  # Enable storage encryption

checkov/cdk/checks/python/DAXEncryption.yaml

@@ -10,4 +10,8 @@ scope:
 definition:
   pattern: aws_cdk.aws_dax.CfnCluster(<ANY>)
   conditions:
-    - not_pattern: aws_cdk.aws_dax.CfnCluster(<ANY>, sse_specification=aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(<ANY>, enabled=True , <ANY>), <ANY>)
+    - not_pattern: aws_cdk.aws_dax.CfnCluster(<ANY>, sse_specification=aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(<ANY>, enabled=True , <ANY>), <ANY>)
+    - not_pattern: |
+        $P = aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(<ANY>, enabled=True , <ANY>)
+        <ANY>
+        aws_cdk.aws_dax.CfnCluster(sse_specification=$P)

checkov/cdk/checks/python/LambdaDLQConfigured.yaml

@@ -15,7 +15,7 @@ definition:
           - not_pattern: aws_cdk.aws_lambda.Function(<ANY>, dead_letter_queue=$ARG, <ANY>)
       - pattern: aws_cdk.aws_lambda.CfnFunction(<ANY>)
         conditions:
-          - not_pattern: aws_cdk.aws_lambda.CfnFunction(<ANY>, dead_letter_config={<ANY>}, <ANY>)
+          - not_pattern: aws_cdk.aws_lambda.CfnFunction(<ANY>, dead_letter_config=$ARG, <ANY>)
       - pattern: aws_cdk.aws_sam.CfnFunction(<ANY>)
         conditions:
-          - not_pattern: aws_cdk.aws_sam.CfnFunction(<ANY>, dead_letter_queue=aws_cdk.aws_sam.CfnFunction.DeadLetterQueueProperty(<ANY>), <ANY>)
+          - not_pattern: aws_cdk.aws_sam.CfnFunction(<ANY>, dead_letter_queue=$ARG, <ANY>)

checkov/cdk/checks/python/LambdaInVPC.yaml

@@ -15,4 +15,4 @@ definition:
           - not_pattern: aws_cdk.aws_lambda.Function(<ANY>, vpc=$VPC, <ANY>)
       - pattern: aws_cdk.aws_sam.CfnFunction(<ANY>)
         conditions:
-          - not_pattern: aws_cdk.aws_sam.CfnFunction(<ANY>, vpc_config=aws_cdk.aws_sam.CfnFunction.VpcConfigProperty(<ANY>), <ANY>)
+          - not_pattern: aws_cdk.aws_sam.CfnFunction(<ANY>, vpc_config=$ARG, <ANY>)

checkov/cdk/checks/python/WAFEnabled.yaml

@@ -10,4 +10,4 @@ scope:
 definition:
   pattern: aws_cdk.aws_cloudfront.CfnDistribution(<ANY>)
   conditions:
-    - not_pattern: 'aws_cdk.aws_cloudfront.CfnDistribution(<ANY>, distribution_config={<ANY>, "webAclId": <ANY> , <ANY>} , <ANY>)'
+    - not_pattern: 'aws_cdk.aws_cloudfront.CfnDistribution(<ANY>, distribution_config={"webAclId": $ARG} , <ANY>)'

checkov/common/bridgecrew/integration_features/features/vulnerabilities_integration.py

@@ -2,7 +2,7 @@
 
 import os
 from collections import defaultdict
-from typing import TYPE_CHECKING, Optional, List, Dict, Any, Tuple
+from typing import TYPE_CHECKING, Optional, List, Dict, Any, Tuple, Set
 
 from checkov.common.bridgecrew.check_type import CheckType
 from checkov.common.bridgecrew.integration_features.base_integration_feature import BaseIntegrationFeature
@@ -94,11 +94,11 @@ def merge_sca_and_sast_reports(self, merged_reports: list[Report]) -> None:
                 continue
 
             # Create maps with the relevant structure for the enrichment step
-            sast_files_by_packages_map = self.create_file_by_package_map(filtered_imports_entries)
-            sast_reachable_data_by_packages_map = self.create_reachable_data_by_package_map(filtered_reachability_entries)
+            sast_files_by_package_map = self.create_file_by_package_map(filtered_imports_entries)
+            sast_reachable_cves_by_package_map = self.create_reachable_cves_by_package_map(filtered_reachability_entries)
 
             # Enrich the CVEs
-            self.enrich_cves_with_sast_data(current_cves, sast_files_by_packages_map, sast_reachable_data_by_packages_map)
+            self.enrich_cves_with_sast_data(current_cves, sast_files_by_package_map, sast_reachable_cves_by_package_map)
 
     '''
     Each SCA report check has file_path, we want to getter same file_path so we won't have to calculate SAST language more then once
@@ -139,40 +139,41 @@ def create_file_by_package_map(self, filtered_entries: List[Tuple[Any, Any]]) ->
 
         return sast_files_by_packages_map
 
-    def create_reachable_data_by_package_map(self, filtered_reachability_entries: List[Tuple[Any, Any]]) -> Dict[str, Dict[str, List[str]]]:
-        reachable_data_by_packages_map: Dict[str, Dict[str, List[str]]] = defaultdict(dict)
-        for code_file_path, file_data in filtered_reachability_entries:
+    def create_reachable_cves_by_package_map(self, filtered_reachability_entries: List[Tuple[Any, Any]]) -> Dict[str, Set[str]]:
+        reachable_cves_by_packages_map: Dict[str, Set[str]] = defaultdict(set)
+        for _, file_data in filtered_reachability_entries:
             packages = file_data.packages
             for package_name, package_data in packages.items():
-                reachable_data_by_packages_map[package_name][code_file_path] = package_data.functions
-        return reachable_data_by_packages_map
+                for function_item in package_data.functions:
+                    reachable_cves_by_packages_map[package_name].add(function_item.cve_id)
+        return reachable_cves_by_packages_map
 
 #######################################################################################################################
     '''
     enrich each CVE with the risk factor of IsUsed - which means there is a file the use the package of that CVE
     '''
 
-    def _is_package_used_for_cve(self, cve_vulnerability_details: Dict[str, Any], sast_files_by_packages_map: Dict[str, List[str]]) -> bool:
+    def _is_package_used_for_cve(self, cve_vulnerability_details: Dict[str, Any], sast_files_by_package_map: Dict[str, List[str]]) -> bool:
         package_name = cve_vulnerability_details.get('package_name', '')
         normalize_package_name = self.normalize_package_name(package_name)
-        return package_name in sast_files_by_packages_map or normalize_package_name in sast_files_by_packages_map
+        return package_name in sast_files_by_package_map or normalize_package_name in sast_files_by_package_map
 
-    def _is_reachable_function_for_cve(self, cve_vulnerability_details: Dict[str, Any], sast_reachable_data_by_packages_map: Dict[str, Dict[str, List[str]]]) -> bool:
+    def _is_reachable_function_for_cve(self, cve_vulnerability_details: Dict[str, Any], sast_reachable_cves_by_package_map: Dict[str, Set[str]]) -> bool:
         package_name = cve_vulnerability_details.get('package_name', '')
-        return package_name in sast_reachable_data_by_packages_map
+        return cve_vulnerability_details.get('id') in sast_reachable_cves_by_package_map.get(package_name, set())
 
     def enrich_cves_with_sast_data(
             self,
             current_cves: List[Record],
-            sast_files_by_packages_map: Dict[str, List[str]],
-            sast_reachable_data_by_packages_map: Dict[str, Dict[str, List[str]]]
+            sast_files_by_package_map: Dict[str, List[str]],
+            sast_reachable_cves_by_package_map: Dict[str, Set[str]]
     ) -> None:
         for cve_check in current_cves:
             if cve_check.vulnerability_details:
-                is_package_used = self._is_package_used_for_cve(cve_check.vulnerability_details, sast_files_by_packages_map)
+                is_package_used = self._is_package_used_for_cve(cve_check.vulnerability_details, sast_files_by_package_map)
                 cve_check.vulnerability_details.get('risk_factors', {})['IsUsed'] = is_package_used
 
-                is_reachable_function = self._is_reachable_function_for_cve(cve_check.vulnerability_details, sast_reachable_data_by_packages_map)
+                is_reachable_function = self._is_reachable_function_for_cve(cve_check.vulnerability_details, sast_reachable_cves_by_package_map)
                 cve_check.vulnerability_details.get('risk_factors', {})['ReachableFunction'] = is_reachable_function
 #######################################################################################################################
 

checkov/terraform/checks/resource/aws/MQBrokerVersion.py

@@ -4,8 +4,8 @@
 
 ENGINE_VERSION_PATTERN = re.compile(r"(\d+\.\d+.\d+)")
 ENGINE_VERSION_SHORT_PATTERN = re.compile(r"(\d+\.\d+)")
-MINIMUM_ACTIVEMQ_VERSION = 5.16
-MINIMUM_RABBITMQ_VERSION = 3.8
+MINIMUM_ACTIVEMQ_VERSION = 5.17
+MINIMUM_RABBITMQ_VERSION = 3.11
 
 
 class MQBrokerVersion(BaseResourceCheck):

checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py

@@ -0,0 +1,17 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServiceEnvironmentZoneRedundant(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure App Service Environment is zone redundant"
+        id = "CKV_AZURE_231"
+        supported_resources = ("azurerm_app_service_environment_v3",)
+        categories = (CheckCategories.BACKUP_AND_RECOVERY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "zone_redundant"
+
+
+check = AppServiceEnvironmentZoneRedundant()

checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py

@@ -0,0 +1,35 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class RedisCacheStandardReplicationEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        """
+        With Standard Replication, Azure Cache for Redis has a high availability architecture
+        that ensures your managed instance is functioning, even when outages affect
+        the underlying virtual machines (VMs). Whether the outage is planned or unplanned outages,
+        Azure Cache for Redis delivers greater percentage availability rates than what's attainable
+        by hosting Redis on a single VM.
+
+        An Azure Cache for Redis in the applicable tiers runs on a pair of Redis servers by default.
+        The two servers are hosted on dedicated VMs.
+        Open-source Redis allows only one server to handle data write requests.
+        """
+        name = "Standard Replication should be enabled"
+        id = "CKV_AZURE_230"
+        supported_resources = ("azurerm_redis_cache",)
+        categories = (CheckCategories.BACKUP_AND_RECOVERY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "sku_name"
+
+    def get_expected_values(self) -> list[Any]:
+        return ["Standard", "Premium"]
+
+
+check = RedisCacheStandardReplicationEnabled()

checkov/version.py

@@ -1 +1 @@
-version = '3.0.19'
+version = '3.0.21'