aquasecurity · simar7 · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023 · Nov 24, 2023
@@ -0,0 +1,50 @@
+package arm
+
+import (
+	"context"
+
+	"github.com/aquasecurity/trivy/internal/adapters/arm/appservice"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/authorization"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/compute"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/container"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/database"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/datafactory"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/datalake"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/keyvault"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/monitor"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/network"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/securitycenter"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/storage"
+	"github.com/aquasecurity/trivy/internal/adapters/arm/synapse"
+
+	"github.com/aquasecurity/defsec/pkg/providers/azure"
+	"github.com/aquasecurity/defsec/pkg/state"
+	scanner "github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+// Adapt ...
+func Adapt(ctx context.Context, deployment scanner.Deployment) *state.State {
+	return &state.State{
+		Azure: adaptAzure(deployment),
+	}
+}
+
+func adaptAzure(deployment scanner.Deployment) azure.Azure {
+
+	return azure.Azure{
+		AppService:     appservice.Adapt(deployment),
+		Authorization:  authorization.Adapt(deployment),
+		Compute:        compute.Adapt(deployment),
+		Container:      container.Adapt(deployment),
+		Database:       database.Adapt(deployment),
+		DataFactory:    datafactory.Adapt(deployment),
+		DataLake:       datalake.Adapt(deployment),
+		KeyVault:       keyvault.Adapt(deployment),
+		Monitor:        monitor.Adapt(deployment),
+		Network:        network.Adapt(deployment),
+		SecurityCenter: securitycenter.Adapt(deployment),
+		Storage:        storage.Adapt(deployment),
+		Synapse:        synapse.Adapt(deployment),
+	}
+
+}
@@ -0,0 +1,58 @@
+package appservice
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/appservice"
+	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) appservice.AppService {
+	return appservice.AppService{
+		Services:     adaptServices(deployment),
+		FunctionApps: adaptFunctionApps(deployment),
+	}
+}
+
+func adaptFunctionApps(deployment azure.Deployment) []appservice.FunctionApp {
+	var functionApps []appservice.FunctionApp
+
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Web/sites") {
+		functionApps = append(functionApps, adaptFunctionApp(resource))
+	}
+	return functionApps
+}
+
+func adaptServices(deployment azure.Deployment) []appservice.Service {
+	var services []appservice.Service
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Web/sites") {
+		services = append(services, adaptService(resource))
+	}
+	return services
+}
+
+func adaptFunctionApp(resource azure.Resource) appservice.FunctionApp {
+	return appservice.FunctionApp{
+		Metadata:  resource.Metadata,
+		HTTPSOnly: resource.Properties.GetMapValue("httpsOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
+	}
+}
+
+func adaptService(resource azure.Resource) appservice.Service {
+	return appservice.Service{
+		Metadata:         resource.Metadata,
+		EnableClientCert: resource.Properties.GetMapValue("clientCertEnabled").AsBoolValue(false, resource.Properties.GetMetadata()),
+		Identity: struct{ Type defsecTypes.StringValue }{
+			Type: resource.Properties.GetMapValue("identity").GetMapValue("type").AsStringValue("", resource.Properties.GetMetadata()),
+		},
+		Authentication: struct{ Enabled defsecTypes.BoolValue }{
+			Enabled: resource.Properties.GetMapValue("siteAuthSettings").GetMapValue("enabled").AsBoolValue(false, resource.Properties.GetMetadata()),
+		},
+		Site: struct {
+			EnableHTTP2       defsecTypes.BoolValue
+			MinimumTLSVersion defsecTypes.StringValue
+		}{
+			EnableHTTP2:       resource.Properties.GetMapValue("httpsOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
+			MinimumTLSVersion: resource.Properties.GetMapValue("minTlsVersion").AsStringValue("", resource.Properties.GetMetadata()),
+		},
+	}
+}
@@ -0,0 +1,38 @@
+package authorization
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/authorization"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) authorization.Authorization {
+	return authorization.Authorization{
+		RoleDefinitions: adaptRoleDefinitions(deployment),
+	}
+}
+
+func adaptRoleDefinitions(deployment azure.Deployment) (roleDefinitions []authorization.RoleDefinition) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Authorization/roleDefinitions") {
+		roleDefinitions = append(roleDefinitions, adaptRoleDefinition(resource))
+	}
+	return roleDefinitions
+}
+
+func adaptRoleDefinition(resource azure.Resource) authorization.RoleDefinition {
+
+	return authorization.RoleDefinition{
+		Metadata:         resource.Metadata,
+		Permissions:      adaptPermissions(resource),
+		AssignableScopes: resource.Properties.GetMapValue("assignableScopes").AsStringValuesList(""),
+	}
+}
+
+func adaptPermissions(resource azure.Resource) (permissions []authorization.Permission) {
+	for _, permission := range resource.Properties.GetMapValue("permissions").AsList() {
+		permissions = append(permissions, authorization.Permission{
+			Metadata: resource.Metadata,
+			Actions:  permission.GetMapValue("actions").AsStringValuesList(""),
+		})
+	}
+	return permissions
+}
@@ -0,0 +1,85 @@
+package compute
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/compute"
+	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) compute.Compute {
+	return compute.Compute{
+		LinuxVirtualMachines:   adaptLinuxVirtualMachines(deployment),
+		WindowsVirtualMachines: adaptWindowsVirtualMachines(deployment),
+		ManagedDisks:           adaptManagedDisks(deployment),
+	}
+}
+
+func adaptManagedDisks(deployment azure.Deployment) (managedDisks []compute.ManagedDisk) {
+
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/disks") {
+		managedDisks = append(managedDisks, adaptManagedDisk(resource))
+	}
+
+	return managedDisks
+}
+
+func adaptManagedDisk(resource azure.Resource) compute.ManagedDisk {
+	hasEncryption := resource.Properties.HasKey("encryption")
+
+	return compute.ManagedDisk{
+		Metadata: resource.Metadata,
+		Encryption: compute.Encryption{
+			Metadata: resource.Metadata,
+			Enabled:  defsecTypes.Bool(hasEncryption, resource.Metadata),
+		},
+	}
+}
+
+func adaptWindowsVirtualMachines(deployment azure.Deployment) (windowsVirtualMachines []compute.WindowsVirtualMachine) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/virtualMachines") {
+		if resource.Properties.GetMapValue("osProfile").GetMapValue("windowsConfiguration").AsMap() != nil {
+			windowsVirtualMachines = append(windowsVirtualMachines, adaptWindowsVirtualMachine(resource))
+		}
+	}
+
+	return windowsVirtualMachines
+}
+
+func adaptWindowsVirtualMachine(resource azure.Resource) compute.WindowsVirtualMachine {
+	return compute.WindowsVirtualMachine{
+		Metadata: resource.Metadata,
+		VirtualMachine: compute.VirtualMachine{
+			Metadata: resource.Metadata,
+			CustomData: resource.Properties.GetMapValue("osProfile").
+				GetMapValue("customData").AsStringValue("", resource.Metadata),
+		},
+	}
+}
+
+func adaptLinuxVirtualMachines(deployment azure.Deployment) (linuxVirtualMachines []compute.LinuxVirtualMachine) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Compute/virtualMachines") {
+		if resource.Properties.GetMapValue("osProfile").GetMapValue("linuxConfiguration").AsMap() != nil {
+			linuxVirtualMachines = append(linuxVirtualMachines, adaptLinuxVirtualMachine(resource))
+		}
+	}
+
+	return linuxVirtualMachines
+}
+
+func adaptLinuxVirtualMachine(resource azure.Resource) compute.LinuxVirtualMachine {
+	return compute.LinuxVirtualMachine{
+		Metadata: resource.Metadata,
+		VirtualMachine: compute.VirtualMachine{
+			Metadata: resource.Metadata,
+			CustomData: resource.Properties.GetMapValue("osProfile").
+				GetMapValue("customData").AsStringValue("", resource.Metadata),
+		},
+		OSProfileLinuxConfig: compute.OSProfileLinuxConfig{
+			Metadata: resource.Metadata,
+			DisablePasswordAuthentication: resource.Properties.GetMapValue("osProfile").
+				GetMapValue("linuxConfiguration").
+				GetMapValue("disablePasswordAuthentication").AsBoolValue(false, resource.Metadata),
+		},
+	}
+
+}
@@ -0,0 +1,60 @@
+package compute
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/defsec/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_AdaptLinuxVM(t *testing.T) {
+
+	input := azure.Deployment{
+		Resources: []azure.Resource{
+			{
+				Type: azure.NewValue("Microsoft.Compute/virtualMachines", types.NewTestMetadata()),
+				Properties: azure.NewValue(map[string]azure.Value{
+					"osProfile": azure.NewValue(map[string]azure.Value{
+						"linuxConfiguration": azure.NewValue(map[string]azure.Value{
+							"disablePasswordAuthentication": azure.NewValue(true, types.NewTestMetadata()),
+						}, types.NewTestMetadata()),
+					}, types.NewTestMetadata()),
+				}, types.NewTestMetadata()),
+			},
+		},
+	}
+
+	output := Adapt(input)
+
+	require.Len(t, output.LinuxVirtualMachines, 1)
+	require.Len(t, output.WindowsVirtualMachines, 0)
+
+	linuxVM := output.LinuxVirtualMachines[0]
+	assert.True(t, linuxVM.OSProfileLinuxConfig.DisablePasswordAuthentication.IsTrue())
+
+}
+
+func Test_AdaptWindowsVM(t *testing.T) {
+
+	input := azure.Deployment{
+		Resources: []azure.Resource{
+			{
+				Type: azure.NewValue("Microsoft.Compute/virtualMachines", types.NewTestMetadata()),
+				Properties: azure.NewValue(map[string]azure.Value{
+					"osProfile": azure.NewValue(map[string]azure.Value{
+						"windowsConfiguration": azure.NewValue(map[string]azure.Value{}, types.NewTestMetadata()),
+					}, types.NewTestMetadata()),
+				}, types.NewTestMetadata()),
+			},
+		},
+	}
+
+	output := Adapt(input)
+
+	require.Len(t, output.LinuxVirtualMachines, 0)
+	require.Len(t, output.WindowsVirtualMachines, 1)
+}
@@ -0,0 +1,17 @@
+package container
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/container"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) container.Container {
+	return container.Container{
+		KubernetesClusters: adaptKubernetesClusters(deployment),
+	}
+}
+
+func adaptKubernetesClusters(deployment azure.Deployment) []container.KubernetesCluster {
+
+	return nil
+}
@@ -0,0 +1,35 @@
+package database
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/database"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func Adapt(deployment azure.Deployment) database.Database {
+	return database.Database{
+		MSSQLServers:      adaptMSSQLServers(deployment),
+		MariaDBServers:    adaptMariaDBServers(deployment),
+		MySQLServers:      adaptMySQLServers(deployment),
+		PostgreSQLServers: adaptPostgreSQLServers(deployment),
+	}
+}
+
+func adaptMySQLServers(deployment azure.Deployment) (mysqlDbServers []database.MySQLServer) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.DBforMySQL/servers") {
+		mysqlDbServers = append(mysqlDbServers, adaptMySQLServer(resource, deployment))
+	}
+	return mysqlDbServers
+}
+
+func adaptMySQLServer(resource azure.Resource, deployment azure.Deployment) database.MySQLServer {
+	return database.MySQLServer{
+		Metadata: resource.Metadata,
+		Server: database.Server{
+			Metadata:                  resource.Metadata,
+			EnableSSLEnforcement:      resource.Properties.GetMapValue("sslEnforcement").AsBoolValue(false, resource.Metadata),
+			MinimumTLSVersion:         resource.Properties.GetMapValue("minimalTlsVersion").AsStringValue("TLSEnforcementDisabled", resource.Metadata),
+			EnablePublicNetworkAccess: resource.Properties.GetMapValue("publicNetworkAccess").AsBoolValue(false, resource.Metadata),
+			FirewallRules:             addFirewallRule(resource),
+		},
+	}
+}
@@ -0,0 +1,18 @@
+package database
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/database"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func addFirewallRule(resource azure.Resource) []database.FirewallRule {
+	var rules []database.FirewallRule
+	for _, rule := range resource.Properties.GetMapValue("firewallRules").AsMap() {
+		rules = append(rules, database.FirewallRule{
+			Metadata: rule.Metadata,
+			StartIP:  rule.GetMapValue("startIpAddress").AsStringValue("", rule.Metadata),
+			EndIP:    rule.GetMapValue("endIpAddress").AsStringValue("", rule.Metadata),
+		})
+	}
+	return rules
+}
@@ -0,0 +1,27 @@
+package database
+
+import (
+	"github.com/aquasecurity/defsec/pkg/providers/azure/database"
+	"github.com/aquasecurity/trivy/pkg/scanners/azure"
+)
+
+func adaptMariaDBServers(deployment azure.Deployment) (mariaDbServers []database.MariaDBServer) {
+	for _, resource := range deployment.GetResourcesByType("Microsoft.DBforMariaDB/servers") {
+		mariaDbServers = append(mariaDbServers, adaptMariaDBServer(resource, deployment))
+	}
+	return mariaDbServers
+
+}
+
+func adaptMariaDBServer(resource azure.Resource, deployment azure.Deployment) database.MariaDBServer {
+	return database.MariaDBServer{
+		Metadata: resource.Metadata,
+		Server: database.Server{
+			Metadata:                  resource.Metadata,
+			EnableSSLEnforcement:      resource.Properties.GetMapValue("sslEnforcement").AsBoolValue(false, resource.Metadata),
+			MinimumTLSVersion:         resource.Properties.GetMapValue("minimalTlsVersion").AsStringValue("TLSEnforcementDisabled", resource.Metadata),
+			EnablePublicNetworkAccess: resource.Properties.GetMapValue("publicNetworkAccess").AsBoolValue(false, resource.Metadata),
+			FirewallRules:             addFirewallRule(resource),
+		},
+	}
+}