updates checkov to 2.0.1220

Hack23 · Jun 19, 2022 · 55f0bf1 · 55f0bf1
1 parent d29588a
commit 55f0bf1
Show file tree

Hide file tree

Showing 8 changed files with 6,784 additions and 6,682 deletions.
diff --git a/src/main/resources/cloudformation-checkov-cloudformation-rules.xml b/src/main/resources/cloudformation-checkov-cloudformation-rules.xml
@@ -713,9 +713,9 @@
     </rule>
     <rule>
 		<key>cloudformation-CKV_AWS_61</key>
-		<name>Ensure IAM role allows only specific principals in account to assume it</name>
+		<name>Ensure AWS IAM policy does not allow assume role permission across all services</name>
 		<internalKey>cloudformation-CKV_AWS_61</internalKey>
-		<description>Ensure IAM role allows only specific principals in account to assume it</description>
+		<description>Ensure AWS IAM policy does not allow assume role permission across all services</description>
 		<severity>CRITICAL</severity>
 		<cardinality>SINGLE</cardinality>
 		<status>READY</status>
@@ -1232,9 +1232,9 @@
     </rule>
     <rule>
 		<key>cloudformation-CKV_AWS_100</key>
-		<name>Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0</name>
+		<name>Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0</name>
 		<internalKey>cloudformation-CKV_AWS_100</internalKey>
-		<description>Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0</description>
+		<description>Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0</description>
 		<severity>CRITICAL</severity>
 		<cardinality>SINGLE</cardinality>
 		<status>READY</status>
@@ -1265,9 +1265,9 @@
     </rule>
     <rule>
 		<key>cloudformation-CKV_AWS_103</key>
-		<name>Ensure that Application Load Balancer Listener is using TLS v1.2</name>
+		<name>Ensure that Load Balancer Listener is using at least TLS v1.2</name>
 		<internalKey>cloudformation-CKV_AWS_103</internalKey>
-		<description>Ensure that Application Load Balancer Listener is using TLS v1.2</description>
+		<description>Ensure that Load Balancer Listener is using at least TLS v1.2</description>
 		<severity>CRITICAL</severity>
 		<cardinality>SINGLE</cardinality>
 		<status>READY</status>
@@ -1815,6 +1815,20 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
 		<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
     </rule>
-
+    <rule>
+		<key>cloudformation-CKV_AWS_258</key>
+		<name>Ensure that Lambda function URLs AuthType is not None</name>
+		<internalKey>cloudformation-CKV_AWS_258</internalKey>
+		<description>Ensure that Lambda function URLs AuthType is not None</description>
+		<severity>CRITICAL</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>checkov</tag>
+		<tag>cloudformation</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+		<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+    </rule>
 
 </rules>
diff --git a/src/test/java/com/hack23/sonar/cloudformation/CloudformationQualityProfileTest.java b/src/test/java/com/hack23/sonar/cloudformation/CloudformationQualityProfileTest.java
@@ -46,7 +46,7 @@ public void defineTest() {
 		final BuiltInQualityProfile qualityProfile = context.profile("cloudformation","Cloudformation(cfn-nag,checkov) Rules");
 		assertNotNull(qualityProfile);
 		assertFalse(qualityProfile.isDefault());
-		assertEquals(278,qualityProfile.rules().size());
+		assertEquals(279,qualityProfile.rules().size());
 		}
 		{
 		final BuiltInQualityProfile qualityProfile = context.profile("terraform","Terraform(checkov) Rules");

diff --git a/src/test/java/com/hack23/sonar/cloudformation/CloudformationSensorTest.java b/src/test/java/com/hack23/sonar/cloudformation/CloudformationSensorTest.java
@@ -129,7 +129,7 @@ public void executeSimpleCheckovReportTest() throws IOException {
 		final SensorContextTester sensorContext = SensorContextTester
 				.create(FileSystems.getDefault().getPath(".").toAbsolutePath());
 		sensorContext.fileSystem().add(inputFile);
-		final ActiveRules activeRules = new DefaultActiveRules(Arrays.asList(new NewActiveRule.Builder().setRuleKey(RuleKey.of("cloudformation-plugin-cfn","cloudformation-CKV_AWS_8")).build()));
+		final ActiveRules activeRules = new DefaultActiveRules(Arrays.asList(new NewActiveRule.Builder().setRuleKey(RuleKey.of("cloudformation-plugin-cfn","cloudformation-CKV_AWS_157")).build()));
 		sensorContext.setActiveRules(activeRules);
 		cloudformationSensor.execute(sensorContext);
 

diff --git a/src/test/java/com/hack23/sonar/cloudformation/reports/process/CheckovProcessReportsTest.java b/src/test/java/com/hack23/sonar/cloudformation/reports/process/CheckovProcessReportsTest.java
@@ -66,7 +66,7 @@ public void executeSimpleCheckovReportTest() throws IOException {
 		final SensorContextTester sensorContext = SensorContextTester
 				.create(FileSystems.getDefault().getPath(".").toAbsolutePath());
 		sensorContext.fileSystem().add(inputFile);
-		final ActiveRules activeRules = new DefaultActiveRules(Arrays.asList(new NewActiveRule.Builder().setRuleKey(RuleKey.of("cloudformation-plugin-cfn","cloudformation-CKV_AWS_8")).build()));
+		final ActiveRules activeRules = new DefaultActiveRules(Arrays.asList(new NewActiveRule.Builder().setRuleKey(RuleKey.of("cloudformation-plugin-cfn","cloudformation-CKV_AWS_157")).build()));
 		sensorContext.setActiveRules(activeRules);
 
 

diff --git a/src/test/resources/checkov/azuredeploy.checkov-report b/src/test/resources/checkov/azuredeploy.checkov-report
@@ -318,7 +318,7 @@
             },
             {
                 "check_id": "CKV_AZURE_3",
-                "bc_check_id": "BC_AZR_STORAGE_1",
+                "bc_check_id": null,
                 "check_name": "Ensure that 'supportsHttpsTrafficOnly' is set to 'true'",
                 "check_result": {
                     "result": "PASSED",
@@ -412,7 +412,7 @@
                 "short_description": null,
                 "vulnerability_details": null,
                 "connected_node": null,
-                "guideline": "https://docs.bridgecrew.io/docs/ensure-secure-transfer-required-is-enabled"
+                "guideline": null
             }
         ],
         "failed_checks": [
@@ -1049,9 +1049,9 @@
                 "guideline": "https://docs.bridgecrew.io/docs/bc_azr_logging_2"
             },
             {
-                "check_id": "CKV_AZURE_35",
-                "bc_check_id": "BC_AZR_NETWORKING_15",
-                "check_name": "Ensure default network access rule for Storage Accounts is set to deny",
+                "check_id": "CKV_AZURE_36",
+                "bc_check_id": "BC_AZR_NETWORKING_16",
+                "check_name": "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access",
                 "check_result": {
                     "result": "FAILED",
                     "evaluated_keys": []
@@ -1131,7 +1131,7 @@
                 ],
                 "resource": "Microsoft.Storage/storageAccounts.[tolower(concat('sqlva', variables('uniqueStorage')))]",
                 "evaluations": {},
-                "check_class": "checkov.arm.checks.resource.StorageAccountDefaultNetworkAccessDeny",
+                "check_class": "checkov.arm.checks.resource.StorageAccountAzureServicesAccessEnabled",
                 "fixed_definition": null,
                 "entity_tags": null,
                 "caller_file_path": null,
@@ -1144,12 +1144,12 @@
                 "short_description": null,
                 "vulnerability_details": null,
                 "connected_node": null,
-                "guideline": "https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny"
+                "guideline": "https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access"
             },
             {
-                "check_id": "CKV_AZURE_36",
-                "bc_check_id": "BC_AZR_NETWORKING_16",
-                "check_name": "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access",
+                "check_id": "CKV_AZURE_35",
+                "bc_check_id": "BC_AZR_NETWORKING_15",
+                "check_name": "Ensure default network access rule for Storage Accounts is set to deny",
                 "check_result": {
                     "result": "FAILED",
                     "evaluated_keys": []
@@ -1229,7 +1229,7 @@
                 ],
                 "resource": "Microsoft.Storage/storageAccounts.[tolower(concat('sqlva', variables('uniqueStorage')))]",
                 "evaluations": {},
-                "check_class": "checkov.arm.checks.resource.StorageAccountAzureServicesAccessEnabled",
+                "check_class": "checkov.arm.checks.resource.StorageAccountDefaultNetworkAccessDeny",
                 "fixed_definition": null,
                 "entity_tags": null,
                 "caller_file_path": null,
@@ -1242,7 +1242,7 @@
                 "short_description": null,
                 "vulnerability_details": null,
                 "connected_node": null,
-                "guideline": "https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access"
+                "guideline": "https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny"
             }
         ],
         "skipped_checks": [],
@@ -1254,7 +1254,7 @@
         "skipped": 0,
         "parsing_errors": 0,
         "resource_count": 7,
-        "checkov_version": "2.0.1119"
+        "checkov_version": "2.0.1220"
     },
     "url": "Add an api key '--bc-api-key <api-key>' to see more detailed insights via https://bridgecrew.cloud"
 }