fix(sast): fix cdk policies (#6552)

* fix policies

* small change

cdk_integration_tests/test_checks_typescript.py

@@ -280,12 +280,12 @@ def test_CKV_AWS_3_EBSEncryption(failed_checks):
     run_check(check_results=failed_checks, check_id="CKV_AWS_3", policy_name="EBSEncryption", language="typescript")
 
 
-def CKV_AWS_18_S3BucketLogging(failed_checks):
+def test_CKV_AWS_18_S3BucketLogging(failed_checks):
     run_check(check_results=failed_checks, check_id="CKV_AWS_18", policy_name="S3BucketLogging",
               language="typescript")
 
 
-def CKV_AWS_19_S3BucketEncryption(failed_checks):
+def test_CKV_AWS_19_S3BucketEncryption(failed_checks):
     run_check(check_results=failed_checks, check_id="CKV_AWS_19", policy_name="S3BucketEncryption",
               language="typescript")
 
@@ -295,12 +295,12 @@ def CKV_AWS_21_S3BucketVersioning(failed_checks):
               language="typescript")
 
 
-def CKV_AWS_145_S3BucketKMSEncryption(failed_checks):
+def test_CKV_AWS_145_S3BucketKMSEncryption(failed_checks):
     run_check(check_results=failed_checks, check_id="CKV_AWS_145", policy_name="S3BucketKMSEncryption",
               language="typescript")
 
 
-def CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):
+def test_CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):
     run_check(check_results=failed_checks, check_id="CKV2_AWS_6", policy_name="S3BucketPublicAccessBlock",
               language="typescript")
 

checkov/cdk/checks/typescript/S3BucketEncryption.yaml

@@ -1,30 +1,27 @@
 metadata:
   version: 0.2
+  approach: define failing
   id: CKV_AWS_19
   name: Ensure all data stored in the S3 bucket is securely encrypted at rest
   category: ENCRYPTION
   framework: cdk
 scope:
   languages:
-    - javascript
     - typescript
 definition:
-  or:
-    - pattern: new $FUNC(<ANY>)
-      conditions:
-        - metavariable: $FUNC
-          regex: (?i)(Bucket|CfnBucket)
-        - not_pattern: |
-            'new $FUNC(<ANY>, encryption: $METHOD ,<ANY>)'
-          conditions:
-            - metavariable: $METHOD
-              regex: (?i)(BucketEncryption.KMS_MANAGED|BucketEncryption.S3_MANAGED|BucketEncryption.KMS)
-    - pattern: new $S3.$FUNC(<ANY>)
-      conditions:
-        - metavariable: $FUNC
-          regex: (?i)(Bucket|CfnBucket)
-        - not_pattern: |
-            'new $FUNC(<ANY>, encryption: $METHOD ,<ANY>)'
-          conditions:
-            - metavariable: $METHOD
-              regex: (?i)($S3.BucketEncryption.KMS_MANAGED|$S3.BucketEncryption.S3_MANAGED|$S3.BucketEncryption.KMS)
+  pattern: new $AWS.$FUNC(<ANY>)
+  conditions:
+    - metavariable: $FUNC
+      regex: (?i)(Bucket|CfnBucket)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.KMS_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.S3_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.KMS, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.KMS_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.S3_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.KMS, <ANY> } ,<ANY>)

checkov/cdk/checks/typescript/S3BucketKMSEncryption.yaml

@@ -1,29 +1,23 @@
 metadata:
   version: 0.2
+  approach: define failing
   id: CKV_AWS_145
   name: Ensure that S3 buckets are encrypted with KMS by default
   category: ENCRYPTION
+  framework: cdk
 scope:
   languages:
-    - javascript
     - typescript
 definition:
-  or:
-    - pattern: new $FUNC(<ANY>)
-      conditions:
-        - metavariable: $FUNC
-          regex: (?i)(Bucket|CfnBucket)
-        - not_pattern: |
-            'new $FUNC(<ANY>, encryption: $METHOD ,<ANY>)'
-          conditions:
-            - metavariable: $METHOD
-              regex: (?i)(aws_cdk.aws_s3.BucketEncryption.KMS_MANAGED|aws_cdk.aws_s3.BucketEncryption.KMS)
-    - pattern: new $S3.$FUNC(<ANY>)
-      conditions:
-        - metavariable: $FUNC
-          regex: (?i)(Bucket|CfnBucket)
-        - not_pattern: |
-            'new $FUNC(<ANY>, encryption: $METHOD ,<ANY>)'
-          conditions:
-            - metavariable: $METHOD
-              regex: (?i)(aws_cdk.aws_s3.BucketEncryption.KMS_MANAGED|aws_cdk.aws_s3.BucketEncryption.KMS)
+  pattern: new $AWS.$FUNC(<ANY>)
+  conditions:
+    - metavariable: $FUNC
+      regex: (?i)(Bucket|CfnBucket)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.KMS_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.KMS, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.KMS_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.KMS, <ANY> } ,<ANY>)

checkov/cdk/checks/typescript/S3BucketLogging.yaml

@@ -1,29 +1,17 @@
 metadata:
   version: 0.2
+  approach: define failing
   id: CKV_AWS_18
   name: Ensure the S3 bucket has access logging enabled
   category: LOGGING
+  framework: cdk
 scope:
   languages:
-    - javascript
     - typescript
 definition:
-  or:
-    - pattern: new $FUNC(<ANY>)
-      conditions:
-        - metavariable: $FUNC
-          regex: (?i)(Bucket|CfnBucket)
-        - not_pattern: |
-            'new $FUNC(<ANY>, serverAccessLogsBucket: $BUCKET.$LOGGER(<ANY>) ,<ANY>)'
-          conditions:
-            - metavariable: $LOGGER
-              regex: (?i)(fromBucketArn|fromBucketAttributes|fromBucketName|fromBucketRegionalAttributes|fromBucketUrl)
-    - pattern: new $S3.$FUNC(<ANY>)
-      conditions:
-        - metavariable: $FUNC
-          regex: (?i)(Bucket|CfnBucket)
-        - not_pattern: |
-            'new $FUNC(<ANY>, serverAccessLogsBucket: $S3.$BUCKET.$LOGGER(<ANY>) ,<ANY>)'
-          conditions:
-            - metavariable: $LOGGER
-              regex: (?i)(fromBucketArn|fromBucketAttributes|fromBucketName|fromBucketRegionalAttributes|fromBucketUrl)
+  pattern: new $AWS.$FUNC(<ANY>)
+  conditions:
+    - metavariable: $FUNC
+      regex: (Bucket|CfnBucket)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, serverAccessLogsBucket: <ANY> , <ANY> } ,<ANY>)

checkov/cdk/checks/typescript/S3BucketPublicAccessBlock.yaml

@@ -1,30 +1,17 @@
 metadata:
   version: 0.2
+  approach: define failing
   id: CKV2_AWS_6
   name: Ensure that S3 bucket has a Public Access block
   category: NETWORKING
   framework: cdk
 scope:
   languages:
-    - javascript
     - typescript
 definition:
-  or:
-    - pattern: new $FUNC(<ANY>)
-      conditions:
-        - metavariable: $FUNC
-          regex: (?i)(Bucket|CfnBucket)
-        - not_pattern: |
-            'new $FUNC(<ANY>, blockPublicAccess: BlockPublicAccess.$ATR ,<ANY>)'
-          conditions:
-            - metavariable: $ATR
-              regex: (?i)(BLOCK_ALL|BLOCK_ACLS|BLOCK_POLICY|RESTRICTED)
-    - pattern: new $S3.$FUNC(<ANY>)
-      conditions:
-        - metavariable: $FUNC
-          regex: (?i)(Bucket|CfnBucket)
-        - not_pattern: |
-            'new $S3.$FUNC(<ANY>, blockPublicAccess: $S3.BlockPublicAccess.$ATR ,<ANY>)'
-          conditions:
-            - metavariable: $ATR
-              regex: (?i)(BLOCK_ALL|BLOCK_ACLS|BLOCK_POLICY|RESTRICTED)
+  pattern: new $S3.$FUNC(<ANY>)
+  conditions:
+    - metavariable: $FUNC
+      regex: (?i)(Bucket|CfnBucket)
+    - not_pattern: |
+        new $S3.$FUNC(<ANY>, { <ANY>, blockPublicAccess: <ANY> , <ANY> } ,<ANY>)