From 2f4d5efc899395dbef25a1778b8424e5fdae4fce Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 25 Jun 2024 13:34:49 +0700 Subject: [PATCH] fix(checks): correctly check the protocol in the AVD-AWS-0102 rule Signed-off-by: Nikita Pivkin --- .../cloud/aws/ec2/no_excessive_port_access.go | 2 +- .../aws/ec2/no_excessive_port_access_test.go | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/checks/cloud/aws/ec2/no_excessive_port_access.go b/checks/cloud/aws/ec2/no_excessive_port_access.go index 296bd088..f1b1e327 100755 --- a/checks/cloud/aws/ec2/no_excessive_port_access.go +++ b/checks/cloud/aws/ec2/no_excessive_port_access.go @@ -39,7 +39,7 @@ var CheckNoExcessivePortAccess = rules.Register( func(s *state.State) (results scan.Results) { for _, acl := range s.AWS.EC2.NetworkACLs { for _, rule := range acl.Rules { - if rule.Action.EqualTo("allow") && rule.Protocol.EqualTo("-1") || rule.Protocol.EqualTo("all") { + if rule.Action.EqualTo("allow") && (rule.Protocol.EqualTo("-1") || rule.Protocol.EqualTo("all")) { results.Add( "Network ACL rule allows access using ALL ports.", rule.Protocol, diff --git a/checks/cloud/aws/ec2/no_excessive_port_access_test.go b/checks/cloud/aws/ec2/no_excessive_port_access_test.go index f9bcc241..90d623c9 100644 --- a/checks/cloud/aws/ec2/no_excessive_port_access_test.go +++ b/checks/cloud/aws/ec2/no_excessive_port_access_test.go @@ -75,6 +75,25 @@ func TestCheckNoExcessivePortAccess(t *testing.T) { }, expected: false, }, + { + name: "Deny with protocol set to all", + input: ec2.EC2{ + NetworkACLs: []ec2.NetworkACL{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []ec2.NetworkACLRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Protocol: trivyTypes.String("all", trivyTypes.NewTestMetadata()), + Type: trivyTypes.String("ingress", trivyTypes.NewTestMetadata()), + Action: trivyTypes.String("deny", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + expected: false, + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) {