Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update(query): update App Service Not Using Latest TLS Encryption Version query to the latest version #7302

Merged
merged 4 commits into from
Jan 17, 2025
Merged

update(query): update App Service Not Using Latest TLS Encryption Version query to the latest version #7302

merged 4 commits into from
Jan 17, 2025

Conversation

anterosilva1985
Copy link
Contributor

@anterosilva1985 anterosilva1985 commented Dec 5, 2024
edited by cx-ruiaraujo
Loading

Reason for Proposed Changes

  • The latest TLS Encryption Version is now 1.3

Proposed Changes

  • Change the latest TLS Encryption Version from 1.2 to 1.3

I submit this contribution under the Apache-2.0 license.

@anterosilva1985
Update query.rego
301b640 
Latest TLS Encryption Version is 1.3
@anterosilva1985 anterosilva1985 requested a review from a team as a code owner December 5, 2024 15:04
@github-actions github-actions bot added community Community contribution query New query feature labels Dec 5, 2024
@anterosilva1985 anterosilva1985 changed the title Update query.rego update App Service Not Using Latest TLS Encryption Version query to the latest version Dec 5, 2024
@anterosilva1985 anterosilva1985 changed the title update App Service Not Using Latest TLS Encryption Version query to the latest version update(query): update App Service Not Using Latest TLS Encryption Version query to the latest version Dec 5, 2024
@ArturRibeiro-CX
Copy link
Contributor

Hey @anterosilva1985,
Nice contribution and great update to the query! 🎉

To make the test cases more comprehensive and complete, I would suggest the following changes:

1 - Add a positive expected result (positive2.tf) to signal an invalid configuration;
2 - Update positive_expected_result.json with the new expected result added;
3 - Update negative1.tf modifying the file with the new valid encryption level (1.3);

Negative1.tf update suggestion 
resource "azurerm_app_service" "negative1" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id

  site_config {
    dotnet_framework_version = "v4.0"
    scm_type                 = "LocalGit"
    min_tls_version = 1.3
  }
}
Additional Positive2.tf result && Updated Positive_expected_result.json suggestion

We could modify the current negative1 file to reflect the new invalid encryption level, such as using a version lower than 1.3 (e.g., encryption: 1.1 and 1.2 with the new query update).
This ensures the query accurately flags cases with unsupported encryption levels and effectively warns new users with the new valid encription level, which needs to be equal or higher than 1.3.

resource "azurerm_app_service" "positive2" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id

  site_config {
    dotnet_framework_version = "v4.0"
    scm_type                 = "LocalGit"
    min_tls_version = 1.2
  }
}

Regarding the positive_expected_result file, we could just add a new entry, updating the file as demonstrated below:

[
  {
    "queryName": "App Service Not Using Latest TLS Encryption Version",
    "severity": "MEDIUM",
    "line": 10,
    "fileName": "positive1.tf"
  },
  {
    "queryName": "App Service Not Using Latest TLS Encryption Version",
    "severity": "MEDIUM",
    "line": 10,
    "fileName": "positive2.tf"
  }
]

These are just community suggestions, but they would fix the failing unit tests and, I believe, complete your query update while enhancing the test cases a little bit. 😄
Thanks!

cx-ruiaraujo
cx-ruiaraujo approved these changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@cx-ruiaraujo cx-ruiaraujo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cx-ruiaraujo cx-ruiaraujo added terraform Terraform query arm Azure Resource Manager query labels Jan 17, 2025
@cx-ruiaraujo cx-ruiaraujo merged commit 4bf94f2 into Checkmarx:master Jan 17, 2025
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cx-ruiaraujo cx-ruiaraujo cx-ruiaraujo approved these changes

Assignees

@anterosilva1985 anterosilva1985

Labels
arm Azure Resource Manager query community Community contribution query New query feature terraform Terraform query
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anterosilva1985 @ArturRibeiro-CX @cx-ruiaraujo