Merge branch 'main' into feat/bigtabledeletion

.github/workflows/codeql-analysis.yml

@@ -54,12 +54,12 @@ jobs:
           pipenv lock -r > requirements.txt
           pip install -r requirements.txt
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@2cb752a87e96af96708ab57187ab6372ee1973ab  # v2
+        uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1  # v2
         with:
           languages: python
           setup-python-dependencies: false
           config-file: ./.github/codeql-config.yml
       - name: Autobuild
-        uses: github/codeql-action/autobuild@2cb752a87e96af96708ab57187ab6372ee1973ab  # v2
+        uses: github/codeql-action/autobuild@0116bc2df50751f9724a2e35ef1f24d22f90e4e1  # v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@2cb752a87e96af96708ab57187ab6372ee1973ab  # v2
+        uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1  # v2

.github/workflows/pr-title.yml

@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f  # v1
+      - uses: thehanimo/pr-title-checker@5652588c80c479af803eabfbdb5a3895a77c1388  # v1
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           configuration_path: ".github/pr-title-checker-config.json"

CHANGELOG.md

@@ -1,6 +1,28 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.5.8...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.5.11...HEAD)
+
+## [2.5.11](https://github.com/bridgecrewio/checkov/compare/2.5.10...2.5.11) - 2023-10-17
+
+### Feature
+
+- **sca:** giving file path on relative the the current dir for cases there is no either specified root_folder and the is no repo scan dir - [#5654](https://github.com/bridgecrewio/checkov/pull/5654)
+
+## [2.5.10](https://github.com/bridgecrewio/checkov/compare/2.5.9...2.5.10) - 2023-10-16
+
+### Feature
+
+- **terraform:** support scanning of Terraform managed modules instead of downloading them - [#5635](https://github.com/bridgecrewio/checkov/pull/5635)
+
+### Bug Fix
+
+- **terraform:** Fixing issues with checks CKV_AZURE_226 & CKV_AZURE_227 - [#5638](https://github.com/bridgecrewio/checkov/pull/5638)
+
+## [2.5.9](https://github.com/bridgecrewio/checkov/compare/2.5.8...2.5.9) - 2023-10-15
+
+### Feature
+
+- **sca:** support case where there are no cves suppressions - [#5636](https://github.com/bridgecrewio/checkov/pull/5636)
 
 ## [2.5.8](https://github.com/bridgecrewio/checkov/compare/2.5.6...2.5.8) - 2023-10-12
 

checkov/arm/checks/resource/DataFactoryUsesGitRepository.py

@@ -0,0 +1,30 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class DataFactoryUsesGitRepository(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Data Factory uses Git repository for source control"
+        id = "CKV_AZURE_103"
+        supported_resources = ("Microsoft.DataFactory/factories",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties")
+        if properties and isinstance(properties, dict):
+            self.evaluated_keys = ["properties/repoConfiguration/type"]
+            repo = properties.get("repoConfiguration")
+            if not repo:
+                return CheckResult.FAILED
+            if repo and isinstance(repo, dict) and repo.get("type") is not None:
+                return CheckResult.PASSED
+            return CheckResult.UNKNOWN
+        return CheckResult.FAILED
+
+
+check = DataFactoryUsesGitRepository()

checkov/arm/checks/resource/MySQLEncryptionEnabled.py

@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+from typing import Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class MySQLEncryptionEnabled(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that MySQL server enables infrastructure encryption"
+        id = "CKV_AZURE_96"
+        supported_resources = ("Microsoft.DBforMySQL/flexibleServers",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult:
+        properties = conf.get("properties")
+        if properties and isinstance(properties, dict):
+            self.evaluated_keys = ["properties/dataencryption"]
+            data_encryption = properties.get("dataencryption")
+            if data_encryption and isinstance(data_encryption, dict):
+                if data_encryption is None:
+                    return CheckResult.FAILED
+                return CheckResult.PASSED
+            # unparsed
+            elif data_encryption and isinstance(data_encryption, str):
+                return CheckResult.UNKNOWN
+            return CheckResult.FAILED
+        return CheckResult.UNKNOWN
+
+
+check = MySQLEncryptionEnabled()

checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+from typing import Any
+
+from checkov.common.util.data_structures_utils import find_in_dict
+
+
+class VMEncryptionAtHostEnabled(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Virtual machine scale sets have encryption at host enabled"
+        id = "CKV_AZURE_97"
+        supported_resources = ("Microsoft.Compute/virtualMachineScaleSets", "Microsoft.Compute/virtualMachines")
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        encryption = ""
+
+        if self.entity_type == "Microsoft.Compute/virtualMachines":
+            self.evaluated_keys = ["properties/securityProfile/encryptionAtHost"]
+            encryption = find_in_dict(input_dict=conf, key_path="properties/securityProfile/encryptionAtHost")
+        elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
+            self.evaluated_keys = ["properties/virtualMachineProfile/securityProfile/encryptionAtHost"]
+            encryption = find_in_dict(
+                input_dict=conf, key_path="properties/virtualMachineProfile/securityProfile/encryptionAtHost"
+            )
+
+        if encryption == "true":
+            return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = VMEncryptionAtHostEnabled()

checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py

@@ -1,30 +1,32 @@
-from typing import List
+from __future__ import annotations
+
+from typing import Any
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck
 
 
 class LambdaEnvironmentEncryptionSettings(BaseResourceCheck):
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Check encryption settings for Lambda environmental variable"
         id = "CKV_AWS_173"
-        supported_resources = ['AWS::Lambda::Function', "AWS::Serverless::Function"]
-        categories = [CheckCategories.ENCRYPTION]
+        supported_resources = ("AWS::Lambda::Function", "AWS::Serverless::Function")
+        categories = (CheckCategories.ENCRYPTION,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def scan_resource_conf(self, conf):
-        properties = conf.get('Properties')
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        properties = conf.get("Properties")
         if properties is not None:
-            env = properties.get('Environment')
+            env = properties.get("Environment")
             if env is not None:
                 if not isinstance(env, dict):
                     return CheckResult.UNKNOWN
-                elif env.get('Variables') and not properties.get('KmsKeyArn'):
+                elif env.get("Variables") and not properties.get("KmsKeyArn"):
                     return CheckResult.FAILED
         return CheckResult.PASSED
 
-    def get_evaluated_keys(self) -> List[str]:
-        return ['Properties/Environment/Variables', 'Properties/KmsKeyArn']
+    def get_evaluated_keys(self) -> list[str]:
+        return ["Properties/KmsKeyArn"]
 
 
 check = LambdaEnvironmentEncryptionSettings()

checkov/common/bridgecrew/integration_features/features/suppressions_integration.py

@@ -166,7 +166,8 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo
         elif type == 'Cves':
             if 'accountIds' not in suppression:
                 return False
-            if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']:
+            if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']\
+                    and suppression['cves']:
                 repo_name = self.bc_integration.repo_id.replace('\\', '/').split('/')[-1]
                 suppression_path = suppression['cves'][0]['id'].replace('\\', '/')
                 file_abs_path = record.file_abs_path.replace('\\', '/')

checkov/sca_package_2/runner.py

@@ -140,6 +140,13 @@ def run(
 
         return report
 
+    def _persist_file_if_required(self, package_files_to_persist: List[FileToPersist],
+                                  file_path: Path, root_path: Path | None) -> None:
+        if file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS:
+            file_path_str = str(file_path)
+            # in case of root_path is None, we will get the path in related to the current work dir
+            package_files_to_persist.append(FileToPersist(file_path_str, os.path.relpath(file_path_str, root_path)))
+
     def upload_package_files(
             self,
             root_path: Path | None,
@@ -154,21 +161,18 @@ def upload_package_files(
         try:
             if root_path:
                 for file_path in root_path.glob("**/*"):
-                    if (file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS) and not any(
-                            p in file_path.parts for p in excluded_paths) and file_path.name not in excluded_file_names:
-                        file_path_str = str(file_path)
-                        package_files_to_persist.append(
-                            FileToPersist(file_path_str, os.path.relpath(file_path_str, root_path)))
+                    if any(p in file_path.parts for p in excluded_paths) or file_path.name in excluded_file_names:
+                        logging.debug(f"[sca_package:runner](upload_package_files) - File {file_path} was excluded")
+                        continue
+                    self._persist_file_if_required(package_files_to_persist, file_path, root_path)
 
             if files:
-                root_folder = os.path.split(os.path.commonprefix(files))[0]
                 for file in files:
                     file_path = Path(file)
                     if not file_path.exists():
-                        logging.warning(f"File {file_path} doesn't exist")
+                        logging.warning(f"[sca_package:runner](upload_package_files) - File {file_path} doesn't exist")
                         continue
-                    if file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS:
-                        package_files_to_persist.append(FileToPersist(file, os.path.relpath(file, root_folder)))
+                    self._persist_file_if_required(package_files_to_persist, file_path, root_path)
 
             logging.info(f"{len(package_files_to_persist)} sca package files found.")
             bc_integration.persist_files(package_files_to_persist)

checkov/terraform/checks/resource/aws/EKSPlatformVersion.py

@@ -24,7 +24,7 @@ def get_inspected_key(self) -> str:
         return "version"
 
     def get_expected_values(self) -> list[Any]:
-        return ["1.23", "1.24", "1.25", "1.26", "1.27"]
+        return ["1.23", "1.24", "1.25", "1.26", "1.27", "1.28"]
 
 
 check = EKSPlatformVersion()

checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py

@@ -1,26 +1,28 @@
+from __future__ import annotations
+
+from typing import Any
+
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
 
 
 class EKSPublicAccessCIDR(BaseResourceCheck):
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
         id = "CKV_AWS_38"
-        supported_resources = ['aws_eks_cluster']
-        categories = [CheckCategories.KUBERNETES]
+        supported_resources = ('aws_eks_cluster',)
+        categories = (CheckCategories.KUBERNETES,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def scan_resource_conf(self, conf):
+    def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
         """
             Looks for public_access_cidrs at aws_eks_cluster:
             https://www.terraform.io/docs/providers/aws/r/eks_cluster.html
         :param conf: aws_eks_cluster configuration
         :return: <CheckResult>
         """
-        self.evaluated_keys = ['vpc_config']
         if "vpc_config" in conf.keys():
             if "endpoint_public_access" in conf["vpc_config"][0] and not conf["vpc_config"][0]["endpoint_public_access"][0]:
-                self.evaluated_keys = ['vpc_config/[0]/endpoint_public_access']
                 return CheckResult.PASSED
             elif "public_access_cidrs" in conf["vpc_config"][0]:
                 self.evaluated_keys = ['vpc_config/[0]/public_access_cidrs']

checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py

@@ -18,23 +18,19 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
         # check that if I have env vars I have a KMS key
         if len(conf.get("environment", [])):
             if "kms_key_arn" in conf:
-                if conf["kms_key_arn"] == [""]:
-                    self.evaluated_keys = ["environment/kms_key_arn"]
+                if conf.get("kms_key_arn") == [""]:
                     return CheckResult.FAILED
                 return CheckResult.PASSED
-            self.evaluated_keys = ["environment"]
             return CheckResult.FAILED
 
         # no env vars so should be no key as that causes state mismatch
-        if "kms_key_arn" in conf:
-            if not len(conf["kms_key_arn"]):
-                return CheckResult.PASSED
+        if "kms_key_arn" in conf and len(conf["kms_key_arn"]):
             return CheckResult.FAILED
         # neither env vars nor kms key
         return CheckResult.UNKNOWN
 
     def get_evaluated_keys(self) -> list[str]:
-        return ["environment/[0]/variables"]
+        return ["kms_key_arn"]
 
 
 check = LambdaEnvironmentEncryptionSettings()

checkov/terraform/checks/resource/aws/SNSTopicEncryption.py

@@ -1,4 +1,4 @@
-from typing import List, Any
+from typing import Any
 
 from checkov.common.models.enums import CheckCategories
 from checkov.common.models.consts import ANY_VALUE
@@ -16,8 +16,8 @@ def __init__(self) -> None:
     def get_inspected_key(self) -> str:
         return "kms_master_key_id"
 
-    def get_expected_values(self) -> List[Any]:
-        return [ANY_VALUE]
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
 
 
 check = SNSTopicEncryption()

checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py

@@ -1,4 +1,3 @@
-
 from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
@@ -18,11 +17,19 @@ def __init__(self) -> None:
         id = "CKV_AZURE_227"
         supported_resources = ("azurerm_kubernetes_cluster", "azurerm_kubernetes_cluster_node_pool")
         categories = (CheckCategories.KUBERNETES,)
-        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
-                         missing_block_result=CheckResult.FAILED)
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+            missing_block_result=CheckResult.FAILED,
+        )
 
     def get_inspected_key(self) -> str:
-        return "enable_host_encryption"
+        if self.entity_type == "azurerm_kubernetes_cluster":
+            return "default_node_pool/[0]/enable_host_encryption"
+        else:
+            return "enable_host_encryption"
 
 
 check = AKSEncryptionAtHostEnabled()

checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py

@@ -25,7 +25,7 @@ def __init__(self) -> None:
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def get_inspected_key(self) -> str:
-        return "os_disk_type"
+        return "default_node_pool/[0]/os_disk_type"
 
     def get_expected_value(self) -> Any:
         return "Ephemeral"