Merge pull request #358 from Azure/psruleUpdate

Fixes for release 0.6.0 -> release 0.7.0

.github/workflows/dotnet.yml

@@ -35,7 +35,7 @@ jobs:
     - name: Setup .NET
       uses: actions/setup-dotnet@v1
       with:
-        dotnet-version: 7.x
+        dotnet-version: 8.x
 
     - name: Setup NuGet
       uses: nuget/setup-nuget@v1

azure-pipelines.yml

@@ -23,7 +23,7 @@ variables:
 steps:
 - task: UseDotNet@2
   inputs:
-    version: '7.x'
+    version: '8.x'
 
 - task: DotNetCoreCLI@2
   displayName: 'Build'

src/Analyzer.BicepProcessor.UnitTests/Analyzer.BicepProcessor.UnitTests.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
 
     <IsPackable>false</IsPackable>
 

src/Analyzer.BicepProcessor/Analyzer.BicepProcessor.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <AssemblyName>Microsoft.Azure.Templates.Analyzer.BicepProcessor</AssemblyName>
     <RootNamespace>Microsoft.Azure.Templates.Analyzer.BicepProcessor</RootNamespace>
   </PropertyGroup>
@@ -11,7 +11,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Bicep.Core" Version="0.24.24" />
+    <PackageReference Include="Azure.Bicep.Core" Version="0.25.53" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
 

src/Analyzer.BicepProcessor/SourceMapFeatureProvider.cs

@@ -68,9 +68,6 @@ public SourceMapFeatureProvider(IFeatureProvider features)
         /// <inheritdoc/>
         public bool AssertsEnabled => features.AssertsEnabled;
 
-        /// <inheritdoc/>
-        public bool CompileTimeImportsEnabled => features.CompileTimeImportsEnabled;
-
         /// <inheritdoc/>
         public bool MicrosoftGraphPreviewEnabled => features.MicrosoftGraphPreviewEnabled;
 
@@ -82,5 +79,8 @@ public SourceMapFeatureProvider(IFeatureProvider features)
 
         /// <inheritdoc/>
         public bool OptionalModuleNamesEnabled => features.OptionalModuleNamesEnabled;
+
+        /// <inheritdoc/>
+        public bool ResourceDerivedTypesEnabled => features.ResourceDerivedTypesEnabled;
     }
 }

src/Analyzer.Cli.FunctionalTests/Analyzer.Cli.FunctionalTests.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
 
     <IsPackable>false</IsPackable>
 

src/Analyzer.Cli.FunctionalTests/CommandLineParserTests.cs

@@ -209,7 +209,7 @@ public void AnalyzeDirectory_ExecutionWithErrorAndWarning_PrintsExpectedMessages
                 expectedLogSummary += $"{Environment.NewLine}\tThe verbose mode (option -v or --verbose) can be used to obtain even more information about the execution.";
             }
 
-            var warningMessage = "An exception occurred when processing the template language expressions";
+            var warningMessage = "The parsing of the template output named badOutput failed";
             var errorMessage1 = $"An exception occurred while analyzing template {Path.Combine(directoryToAnalyze, "ReportsError.json")}";
             var errorMessage2 = $"An exception occurred while analyzing template {Path.Combine(directoryToAnalyze, "ReportsError2.json")}";
 
@@ -263,8 +263,7 @@ public void AnalyzeDirectory_ExecutionWithErrorAndWarning_PrintsExpectedMessages
                 {
                     errorLog += $"{Environment.NewLine}Exception details:" +
                         $"{Environment.NewLine}Microsoft.Azure.Templates.Analyzer.Core.TemplateAnalyzerException: Error while processing template.";
-                    warningLog += $"{Environment.NewLine}Exception details:" +
-                        $"{Environment.NewLine}Azure.Deployments.Templates.Exceptions.TemplateValidationException: The template parameter 'location' is not found.";
+                    // output parse warning does not trigger exception, only log
                 }
                 var outputBeforeSummary = cliConsoleOutput[..indexOfLogSummary];
                 Assert.IsTrue(outputBeforeSummary.IndexOf(errorLog) > 0);

src/Analyzer.Cli.FunctionalTests/Tests/ToTestSummaryLogger/ReportsWarning.json

@@ -6,9 +6,14 @@
       "apiVersion": "2019-08-01",
       "type": "Microsoft.Web/sites",
       "name": "usesUndefinedParameter",
-      "location": "[parameters('location')]",
       "properties": {
       }
     }
-  ]
+  ],
+  "outputs": {
+    "badOutput": {
+      "type": "string",
+      "value": "[parameters('ImAComputer')]"
+    }
+  }
 }

src/Analyzer.Cli.FunctionalTests/Tests/TriggersOnlyNonSecurityRules.json

@@ -10,7 +10,16 @@
       "name": "aWorkspace",
       "apiVersion": "2016-12-01",
       "location": "",
-      "properties": {}
+      "identity": {
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+          "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'example'))]": {}
+        }
+      },
+      "properties": {
+        "primaryUserAssignedIdentity": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'example')]",
+        "publicNetworkAccess": "Disabled"
+      }
     }
   ],
   "outputs": {}

src/Analyzer.Cli.NuGet/Analyzer.Cli.nuspec

@@ -12,7 +12,7 @@
   </metadata>
 
   <files>
-    <file src="..\Analyzer.Cli\bin\$configuration$\net7.0\$runtimeId$\publish\**" target="tools/" exclude="**\*.pdb" />
+    <file src="..\Analyzer.Cli\bin\$configuration$\net8.0\$runtimeId$\publish\**" target="tools/" exclude="**\*.pdb" />
   </files>
 
 </package>

src/Analyzer.Cli/Analyzer.Cli.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <AssemblyName>TemplateAnalyzer</AssemblyName>
     <Description>A command line interface for Microsoft.Azure.Templates.Analyzer.Core - an ARM and Bicep template scanner for security misconfigurations and best practices</Description>
   </PropertyGroup>

src/Analyzer.Core.BuiltInRuleTests/Analyzer.Core.BuiltInRuleTests.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
 
     <IsPackable>false</IsPackable>
   </PropertyGroup>

src/Analyzer.Core.NuGet/Analyzer.Core.nuspec

@@ -11,14 +11,14 @@
     <tags>arm bicep azure template analyzer scanner deployment security</tags>
 
     <dependencies>
-      <group targetFramework="net7.0">
-        <dependency id="Azure.Bicep.Core" version="0.22.6" />
-        <dependency id="Azure.Deployments.Core" version="1.0.1040" />
-        <dependency id="Azure.Deployments.Expression" version="1.0.1040" />
-        <dependency id="Azure.Deployments.Templates" version="1.0.1040" />
+      <group targetFramework="net8.0">
+        <dependency id="Azure.Bicep.Core" version="0.25.53" />
+        <dependency id="Azure.Deployments.Core" version="1.0.1158" />
+        <dependency id="Azure.Deployments.Expression" version="1.0.1158" />
+        <dependency id="Azure.Deployments.Templates" version="1.0.1158" />
         <dependency id="Newtonsoft.Json" version="13.0.3" />
         <dependency id="Microsoft.Extensions.Logging.Abstractions" version="6.0.1" />
-        <dependency id="Microsoft.PowerShell.SDK" version="7.2.12" />
+        <dependency id="Microsoft.PowerShell.SDK" version="7.4.1" />
         <dependency id="Microsoft.PSRule.Rules.Azure" version="1.26.0-B0011" />
         <dependency id="Microsoft.PSRule.SDK" version="2.8" />
         <dependency id="Sarif.Sdk" version="2.4.12" />

src/Analyzer.Core.UnitTests/Analyzer.Core.UnitTests.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
 
     <IsPackable>false</IsPackable>
 

src/Analyzer.Core.UnitTests/TemplateAnalyzerTests.cs

@@ -28,7 +28,7 @@ public static void AssemblyInitialize(TestContext context)
         [DataTestMethod]
         [DataRow(@"{ ""azureActiveDirectory"": { ""tenantId"": ""tenantId"" } }", "Microsoft.ServiceFabric/clusters", 1, 1, DisplayName = "1 matching resource with 1 passing evaluation")]
         [DataRow(@"{ ""azureActiveDirectory"": { ""someProperty"": ""propertyValue"" } }", "Microsoft.ServiceFabric/clusters", 1, 0, DisplayName = "1 matching resource with 1 failing evaluation")]
-        [DataRow(@"{ ""property1"": { ""someProperty"": ""propertyValue"" } }", "Microsoft.MachineLearningServices/workspaces", 0, 0, DisplayName = "0 matching resources with no results")]
+        [DataRow(@"{ ""property1"": { ""someProperty"": ""propertyValue"" } }", "Microsoft.MachineLearningServices/workspaces", 2, 0, DisplayName = "2 matching resources with no results")]
         [DataRow(@"{ ""azureActiveDirectory"": { ""tenantId"": ""tenantId"" } }", "Microsoft.ServiceFabric/clusters", 2, 1, @"{ ""azureActiveDirectory"": { ""someProperty"": ""propertyValue"" } }", DisplayName = "2 matching resources with 1 passing evaluation")]
         public void AnalyzeTemplate_ValidInputValues_ReturnCorrectEvaluations(string resource1Properties, string resourceType, int expectedEvaluationCount, int expectedEvaluationPassCount, string resource2Properties = null)
         {

src/Analyzer.Core/Analyzer.Core.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <RootNamespace>Microsoft.Azure.Templates.Analyzer</RootNamespace>
     <AssemblyName>Microsoft.Azure.Templates.Analyzer.Core</AssemblyName>
     <Description>An ARM and Bicep template scanner for security misconfigurations and best practices</Description>

src/Analyzer.Core/TemplateAnalyzer.cs

@@ -134,7 +134,7 @@ private IEnumerable<IEvaluation> AnalyzeAllIncludedTemplates(string populatedTem
 
             try
             {
-                templatejObject = armTemplateProcessor.ProcessTemplate(parameters, generateMissingParameters: parentContext.IsMainTemplate);
+                templatejObject = armTemplateProcessor.ProcessTemplate(parameters);
             }
             catch (Exception e)
             {

src/Analyzer.Core/TemplateAnalyzerException.cs

@@ -37,10 +37,5 @@ public TemplateAnalyzerException(string message, Exception innerException)
             : base(message, innerException)
         {
         }
-
-        protected TemplateAnalyzerException(SerializationInfo info, StreamingContext context) 
-            : base(info, context)
-        {
-        }
     }
 }

src/Analyzer.JsonRuleEngine.FunctionalTests/Analyzer.JsonRuleEngine.FunctionalTests.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
 
     <IsPackable>false</IsPackable>
 

src/Analyzer.JsonRuleEngine.UnitTests/Analyzer.JsonRuleEngine.UnitTests.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
 
     <IsPackable>false</IsPackable>
 

src/Analyzer.JsonRuleEngine/Analyzer.JsonRuleEngine.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <AssemblyName>Microsoft.Azure.Templates.Analyzer.JsonRuleEngine</AssemblyName>
     <RootNamespace>Microsoft.Azure.Templates.Analyzer.RuleEngines.JsonEngine</RootNamespace>
   </PropertyGroup>

src/Analyzer.JsonRuleEngine/JsonRuleEngineException.cs

@@ -37,10 +37,5 @@ public JsonRuleEngineException(string message, Exception innerException)
             : base(message, innerException)
         {
         }
-
-        protected JsonRuleEngineException(SerializationInfo info, StreamingContext context) 
-            : base(info, context)
-        {
-        }
     }
 }

src/Analyzer.PowerShellRuleEngine.UnitTests/Analyzer.PowerShellRuleEngine.UnitTests.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
 
     <IsPackable>false</IsPackable>
   </PropertyGroup>

src/Analyzer.PowerShellRuleEngine.UnitTests/PowerShellRuleEngineTests.cs

@@ -16,6 +16,23 @@ namespace Microsoft.Azure.Templates.Analyzer.RuleEngines.PowerShellEngine.UnitTe
     [TestClass]
     public class PowerShellRuleEngineTests
     {
+        private const string EmptyBaseline = @"
+        [
+          {
+            ""kind"": ""Baseline"",
+            ""metadata"": {
+              ""name"": ""RepeatedRulesBaseline""
+            },
+            ""apiVersion"": ""github.com/microsoft/PSRule/v1"",
+            ""spec"": {
+              ""rule"": {
+                ""exclude"": [
+                ]
+              }
+            }
+          }
+        ]";
+
         private readonly string templatesFolder = @"templates";
         private static PowerShellRuleEngine powerShellRuleEngineAllRules;
         private static PowerShellRuleEngine powerShellRuleEngineSecurityRules;
@@ -29,8 +46,8 @@ public static void AssemblyInitialize(TestContext context)
 
         [DataTestMethod]
         // PSRule detects errors in two analysis stages: when looking at the whole file (through the file path), and when looking at each resource (pipeline.Process(resource)):
-        [DataRow("template_and_resource_level_results.json", true, 13, new int[] { 1, 1, 1, 1, 8, 14, 17, 1, 17, 17, 1, 17, 1 }, DisplayName = "Running all the rules against a template with errors reported in both analysis stages")]
-        [DataRow("template_and_resource_level_results.json", false, 4, new int[] { 17, 17, 17, 17 }, DisplayName = "Running only the security rules against a template with errors reported in both analysis stages")]
+        [DataRow("template_and_resource_level_results.json", true, 14, new int[] { 1, 1, 1, 1, 8, 11, 14, 17, 1, 17, 17, 1, 17, 1 }, DisplayName = "Running all the rules against a template with errors reported in both analysis stages")]
+        [DataRow("template_and_resource_level_results.json", false, 5, new int[] { 11, 17, 17, 17, 17 }, DisplayName = "Running only the security rules against a template with errors reported in both analysis stages")]
         // TODO add test case for error, warning (rule with severity level of warning?) and informational (also rule with that severity level?)
         public void AnalyzeTemplate_ValidTemplate_ReturnsExpectedEvaluations(string templateFileName, bool runsAllRules, int expectedErrorCount, dynamic expectedLineNumbers)
         {
@@ -80,7 +97,7 @@ public void AnalyzeTemplate_ValidTemplate_ReturnsExpectedEvaluations(string temp
             Assert.AreEqual(expectedErrorCount, failedEvaluations.Count);
 
             // PSRule evaluations can change order depending on the OS:
-            foreach(var expectedLineNumber in expectedLineNumbers)
+            foreach (var expectedLineNumber in expectedLineNumbers)
             {
                 var matchingEvaluation = failedEvaluations.Find(evaluation => evaluation.Result.SourceLocation.LineNumber == expectedLineNumber);
                 failedEvaluations.Remove(matchingEvaluation);
@@ -90,7 +107,7 @@ public void AnalyzeTemplate_ValidTemplate_ReturnsExpectedEvaluations(string temp
 
         [DataTestMethod]
         [DataRow(true, DisplayName = "Repeated rules are excluded when running all the rules")]
-        [DataRow(true, DisplayName = "Repeated rules are excluded when running only the security rules")]
+        [DataRow(false, DisplayName = "Repeated rules are excluded when running only the security rules")]
         public void AnalyzeTemplate_ValidTemplate_ExcludesRepeatedRules(bool runsAllRules)
         {
             var templateFilePath = Path.Combine(templatesFolder, "triggers_excluded_rules.json");
@@ -115,19 +132,18 @@ public void AnalyzeTemplate_ValidTemplate_ExcludesRepeatedRules(bool runsAllRule
 
             // The RepeatedRulesBaseline will only be used when all rules are run
             // Otherwise SecurityBaseline is used, those rules are not in the "include" array of the baseline so they won't be executed either
-            // Next we validate that when RepeatedRulesBaseline is an empty file then the test file does indeed trigger the excluded rule:
+            // Next we validate that when RepeatedRulesBaseline has no exclusions then the test file does indeed trigger the excluded rule:
             if (runsAllRules)
             {
                 var baselineLocation = Path.Combine(Path.GetDirectoryName(AppContext.BaseDirectory), "baselines", "RepeatedRulesBaseline.Rule.json");
                 var newBaselineLocation = baselineLocation + ".moved";
                 try
                 {
                     File.Move(baselineLocation, newBaselineLocation);
-                    var emptyBaseline = File.Create(baselineLocation);
-                    emptyBaseline.Close();
-
+                    File.WriteAllText(baselineLocation, EmptyBaseline);
+
                     evaluations = powerShellRuleEngineAllRules.AnalyzeTemplate(templateContext);
-                    
+
                     Assert.IsTrue(evaluations.Any(evaluation => evaluation.RuleId == "AZR-000081"));
                 }
                 finally
@@ -138,6 +154,32 @@ public void AnalyzeTemplate_ValidTemplate_ExcludesRepeatedRules(bool runsAllRule
             }
         }
 
+        // Sanity checks for using hardcoded AZURE_RESOURCE_ALLOWED_LOCATIONS to match the placeholder region in the template processor
+        // locations used are different from the placeholder region westus2
+        [TestMethod]
+        [DataRow("templateWithDefaultLocation.json", DisplayName = "Template with default location")]
+        [DataRow("templateWithHardcodedLocation.json", DisplayName = "Template with hardcoded location")]
+        public void AnalyzeTemplate_ValidTemplate_SpecifiedLocations(string templateFileName)
+        {
+            var templateFilePath = Path.Combine(templatesFolder, templateFileName);
+
+            var template = File.ReadAllText(templateFilePath);
+            var armTemplateProcessor = new ArmTemplateProcessor(template);
+            var templatejObject = armTemplateProcessor.ProcessTemplate();
+
+            var templateContext = new TemplateContext
+            {
+                OriginalTemplate = JObject.Parse(template),
+                ExpandedTemplate = templatejObject,
+                ResourceMappings = armTemplateProcessor.ResourceMappings,
+                TemplateIdentifier = templateFilePath
+            };
+
+            var evaluations = powerShellRuleEngineSecurityRules.AnalyzeTemplate(templateContext);
+
+            Assert.IsTrue(evaluations.All(evaluation => evaluation.Passed));
+        }
+
         [TestMethod]
         [ExpectedException(typeof(ArgumentException))]
         public void AnalyzeTemplate_NullTemplateContext_ThrowsException()