Merge pull request #36 from nikpivkin/google-dns

fix(google): update AVD-GCP-0012 rule
aquasecurity · Nov 20, 2023 · f6f2330 · f6f2330
2 parents f2affd6 + 07d0ac0
commit f6f2330
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 65 deletions.
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy-policies
 go 1.20
 
 require (
-	github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5
+	github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f
 	github.com/aquasecurity/trivy-iac v0.5.2
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/liamg/iamgo v0.0.9

diff --git a/go.sum b/go.sum
@@ -26,8 +26,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
-github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5 h1:CkfFZpctJrH+oHWlvuAE2qV4DNDqaVtPlEkVksbwuwo=
-github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0=
+github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f h1:cO9S78J2eBx9tEIZYwFoousuYWV4DtgQlGsZUusMyNY=
+github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0=
 github.com/aquasecurity/trivy-iac v0.5.2 h1:cqeSDEfQtM3l4ceiQ+IUD2K/ZBhyz443xe+S2TkBdE0=
 github.com/aquasecurity/trivy-iac v0.5.2/go.mod h1:dHoaIzm4niotuaEiSM40HelhcL8m/2MHzT3uHcQYUh8=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=

diff --git a/rules/cloud/policies/google/dns/no_rsa_sha1.go b/rules/cloud/policies/google/dns/no_rsa_sha1.go
@@ -1,6 +1,8 @@
 package dns
 
 import (
+	"fmt"
+
 	"github.com/aquasecurity/defsec/pkg/providers"
 	"github.com/aquasecurity/defsec/pkg/scan"
 	"github.com/aquasecurity/defsec/pkg/severity"
@@ -32,18 +34,14 @@ var CheckNoRsaSha1 = rules.Register(
 			if zone.Metadata.IsUnmanaged() {
 				continue
 			}
-			if zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm.EqualTo("rsasha1") {
-				results.Add(
-					"Zone KSK uses RSA SHA1 for signing.",
-					zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm,
-				)
-			} else if zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm.EqualTo("rsasha1") {
-				results.Add(
-					"Zone ZSK uses RSA SHA1 for signing.",
-					zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm,
-				)
-			} else {
-				results.AddPassed(&zone)
+			for _, keySpec := range zone.DNSSec.DefaultKeySpecs {
+
+				if keySpec.Algorithm.EqualTo("rsasha1") {
+					results.Add(
+						fmt.Sprintf("Zone uses %q key type with RSA SHA1 algorithm for signing.", keySpec.KeyType.Value()),
+						keySpec.Algorithm,
+					)
+				}
 			}
 		}
 		return

diff --git a/rules/cloud/policies/google/dns/no_rsa_sha1.tf.go b/rules/cloud/policies/google/dns/no_rsa_sha1.tf.go
@@ -2,53 +2,43 @@ package dns
 
 var terraformNoRsaSha1GoodExamples = []string{
 	`
- resource "google_dns_managed_zone" "foo" {
- 	name     = "foobar"
- 	dns_name = "foo.bar."
- 	
- 	dnssec_config {
- 		state         = "on"
- 		non_existence = "nsec3"
- 	}
- }
- 	
- data "google_dns_keys" "foo_dns_keys" {
- 	managed_zone = google_dns_managed_zone.foo.id
- 	zone_signing_keys {
- 		algorithm = "rsasha512"
- 	}
- }
- 	
- output "foo_dns_ds_record" {
- 	description = "DS record of the foo subdomain."
- 	value       = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
- }
+resource "google_dns_managed_zone" "example-zone" {
+  name     = "example-zone"
+  dns_name = "example-${random_id.rnd.hex}.com."
+
+  dnssec_config {
+    state = "on"
+    default_key_specs {
+      algorithm = "rsasha512"
+      key_type  = "keySigning"
+    }
+	default_key_specs {
+      algorithm = "rsasha512"
+      key_type  = "zoneSigning"
+    }
+  }
+}
  `,
 }
 
 var terraformNoRsaSha1BadExamples = []string{
 	`
- resource "google_dns_managed_zone" "foo" {
- 	name     = "foobar"
- 	dns_name = "foo.bar."
- 	
- 	dnssec_config {
- 		state         = "on"
- 		non_existence = "nsec3"
- 	}
- }
- 	
- data "google_dns_keys" "foo_dns_keys" {
- 	managed_zone = google_dns_managed_zone.foo.id
- 	zone_signing_keys {
- 		algorithm = "rsasha1"
- 	}
- }
- 	
- output "foo_dns_ds_record" {
- 	description = "DS record of the foo subdomain."
- 	value       = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
- }
+resource "google_dns_managed_zone" "example-zone" {
+  name     = "example-zone"
+  dns_name = "example-${random_id.rnd.hex}.com."
+
+  dnssec_config {
+    state = "on"
+    default_key_specs {
+      algorithm = "rsasha1"
+      key_type  = "keySigning"
+    }
+	default_key_specs {
+      algorithm = "rsasha1"
+      key_type  = "zoneSigning"
+    }
+  }
+}
  `,
 }
 

diff --git a/rules/cloud/policies/google/dns/no_rsa_sha1_test.go b/rules/cloud/policies/google/dns/no_rsa_sha1_test.go
@@ -27,15 +27,16 @@ func TestCheckNoRsaSha1(t *testing.T) {
 						Metadata: defsecTypes.NewTestMetadata(),
 						DNSSec: dns.DNSSec{
 							Metadata: defsecTypes.NewTestMetadata(),
-							DefaultKeySpecs: dns.KeySpecs{
-								Metadata: defsecTypes.NewTestMetadata(),
-								KeySigningKey: dns.Key{
+							DefaultKeySpecs: []dns.KeySpecs{
+								{
 									Metadata:  defsecTypes.NewTestMetadata(),
 									Algorithm: defsecTypes.String("rsasha1", defsecTypes.NewTestMetadata()),
+									KeyType:   defsecTypes.String("keySigning", defsecTypes.NewTestMetadata()),
 								},
-								ZoneSigningKey: dns.Key{
+								{
 									Metadata:  defsecTypes.NewTestMetadata(),
 									Algorithm: defsecTypes.String("rsasha1", defsecTypes.NewTestMetadata()),
+									KeyType:   defsecTypes.String("zoneSigning", defsecTypes.NewTestMetadata()),
 								},
 							},
 						},
@@ -52,15 +53,16 @@ func TestCheckNoRsaSha1(t *testing.T) {
 						Metadata: defsecTypes.NewTestMetadata(),
 						DNSSec: dns.DNSSec{
 							Metadata: defsecTypes.NewTestMetadata(),
-							DefaultKeySpecs: dns.KeySpecs{
-								Metadata: defsecTypes.NewTestMetadata(),
-								KeySigningKey: dns.Key{
+							DefaultKeySpecs: []dns.KeySpecs{
+								{
 									Metadata:  defsecTypes.NewTestMetadata(),
 									Algorithm: defsecTypes.String("rsasha512", defsecTypes.NewTestMetadata()),
+									KeyType:   defsecTypes.String("keySigning", defsecTypes.NewTestMetadata()),
 								},
-								ZoneSigningKey: dns.Key{
+								{
 									Metadata:  defsecTypes.NewTestMetadata(),
 									Algorithm: defsecTypes.String("rsasha512", defsecTypes.NewTestMetadata()),
+									KeyType:   defsecTypes.String("zoneSigning", defsecTypes.NewTestMetadata()),
 								},
 							},
 						},