fix FP in password and secrets query

Checkmarx · Feb 27, 2025 · d395589 · d395589
1 parent 65bd62f
commit d395589
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 0 deletions.
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -16,6 +16,14 @@
         {
           "description": "Avoiding Ansible playbook update_password",
           "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+        },
+        {
+          "description": "Allow passwords retrieved from Terraform data sources",
+          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.azurerm_key_vault_secret\\.[A-Za-z0-9_]+\\.value"
+        },
+        {
+          "description": "Allow passwords retrieved from AWS KMS Secrets",
+          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.aws_kms_secrets\\.[A-Za-z0-9_]+\\.plaintext\\[\"[A-Za-z0-9_]+\"\\]"
         }
       ],
       "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"

diff --git a/assets/queries/common/passwords_and_secrets/test/negative47.tf b/assets/queries/common/passwords_and_secrets/test/negative47.tf
@@ -0,0 +1,44 @@
+provider "azurerm" {
+  features {}
+}
+
+# Example of using an existing Key Vault and secret
+data "azurerm_key_vault" "example" {
+  name                = "your-key-vault-name"
+  resource_group_name = "your-resource-group"
+}
+
+data "azurerm_key_vault_secret" "LinuxVmPassword" {
+  name          = "your-secret-name"
+  key_vault_id  = data.azurerm_key_vault.example.id
+}
+
+resource "azurerm_linux_virtual_machine" "example_vm" {
+  name                = "example-vm"
+  resource_group_name = "your-resource-group"
+  location            = "your-location"
+  size                = "Standard_DS1_v2"
+  admin_username      = "adminuser"
+  admin_password      = data.azurerm_key_vault_secret.LinuxVmPassword.value
+
+  network_interface_ids = [
+    # Your network interface ID
+  ]
+
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "18.04-LTS"
+    version   = "latest"
+  }
+}
+
+output "vm_password" {
+  value     = data.azurerm_key_vault_secret.LinuxVmPassword.value
+  sensitive = true
+}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative48.tf b/assets/queries/common/passwords_and_secrets/test/negative48.tf
@@ -0,0 +1,17 @@
+data "template_file" "sci_integration_app_properties_secret_template" {
+  template = file(join("", ["/secrets/sci-integration-app", var.resource_identifier_shorthand], ".json"))
+
+  vars = {
+    ayreshirerarran_password   = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["ayreshirerarran_password"]
+    lanark_password            = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lanark_password"]
+    tayside_password           = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["tayside_password"]
+    glasgow_password           = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["glasgow_password"]
+    grampian_password          = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["grampian_password"]
+    highland_password          = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["highland_password"]
+    westernisles_password      = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["westernisles_password"]
+    dumfriesandgalloway_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["dumfriesandgalloway_password"]
+    forthvalley_password       = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["forthvalley_password"]
+    borders_password           = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["borders_password"]
+    lothian_password           = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lothian_password"]
+  }
+}