From 35fd018ae7ad86823f114f0ac2f1376726aee444 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Fri, 18 Oct 2024 10:45:24 +0600 Subject: [PATCH] fix(misconf): fix for Azure Storage Account network acls adaptation (#7602) Signed-off-by: nikpivkin --- pkg/iac/adapters/arm/storage/adapt.go | 24 ++++++++++----------- pkg/iac/adapters/arm/storage/adapt_test.go | 25 ++++++++++++++++++---- 2 files changed, 32 insertions(+), 17 deletions(-) diff --git a/pkg/iac/adapters/arm/storage/adapt.go b/pkg/iac/adapters/arm/storage/adapt.go index 186ab5beda9d..26a0d10c8616 100644 --- a/pkg/iac/adapters/arm/storage/adapt.go +++ b/pkg/iac/adapters/arm/storage/adapt.go @@ -18,20 +18,18 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account { var accounts []storage.Account for _, resource := range deployment.GetResourcesByType("Microsoft.Storage/storageAccounts") { - var networkRules []storage.NetworkRule - for _, acl := range resource.Properties.GetMapValue("networkAcls").AsList() { + acl := resource.Properties.GetMapValue("networkAcls") - var bypasses []types.StringValue - bypassProp := acl.GetMapValue("bypass") - for _, bypass := range strings.Split(bypassProp.AsString(), ",") { - bypasses = append(bypasses, types.String(bypass, bypassProp.GetMetadata())) - } + var bypasses []types.StringValue + bypassProp := acl.GetMapValue("bypass") + for _, bypass := range strings.Split(bypassProp.AsString(), ",") { + bypasses = append(bypasses, types.String(strings.TrimSpace(bypass), bypassProp.GetMetadata())) + } - networkRules = append(networkRules, storage.NetworkRule{ - Metadata: acl.GetMetadata(), - Bypass: bypasses, - AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()), - }) + networkRule := storage.NetworkRule{ + Metadata: acl.GetMetadata(), + Bypass: bypasses, + AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()), } var queues []storage.Queue @@ -52,7 +50,7 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account { account := storage.Account{ Metadata: resource.Metadata, - NetworkRules: networkRules, + NetworkRules: []storage.NetworkRule{networkRule}, EnforceHTTPS: resource.Properties.GetMapValue("supportsHttpsTrafficOnly").AsBoolValue(false, resource.Properties.GetMetadata()), Containers: containers, QueueProperties: storage.QueueProperties{ diff --git a/pkg/iac/adapters/arm/storage/adapt_test.go b/pkg/iac/adapters/arm/storage/adapt_test.go index a6965ca1560c..372986f23529 100644 --- a/pkg/iac/adapters/arm/storage/adapt_test.go +++ b/pkg/iac/adapters/arm/storage/adapt_test.go @@ -6,6 +6,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/aquasecurity/trivy/internal/testutil" + "github.com/aquasecurity/trivy/pkg/iac/providers/azure/storage" "github.com/aquasecurity/trivy/pkg/iac/scanners/azure" "github.com/aquasecurity/trivy/pkg/iac/types" ) @@ -43,6 +45,10 @@ func Test_AdaptStorage(t *testing.T) { "minimumTlsVersion": azure.NewValue("TLS1_2", types.NewTestMetadata()), "supportsHttpsTrafficOnly": azure.NewValue(true, types.NewTestMetadata()), "publicNetworkAccess": azure.NewValue("Disabled", types.NewTestMetadata()), + "networkAcls": azure.NewValue(map[string]azure.Value{ + "bypass": azure.NewValue("Logging, Metrics", types.NewTestMetadata()), + "defaultAction": azure.NewValue("Allow", types.NewTestMetadata()), + }, types.NewTestMetadata()), }, types.NewTestMetadata()), }, }, @@ -52,9 +58,20 @@ func Test_AdaptStorage(t *testing.T) { require.Len(t, output.Accounts, 1) - account := output.Accounts[0] - assert.Equal(t, "TLS1_2", account.MinimumTLSVersion.Value()) - assert.True(t, account.EnforceHTTPS.Value()) - assert.False(t, account.PublicNetworkAccess.Value()) + expected := storage.Storage{ + Accounts: []storage.Account{{ + MinimumTLSVersion: types.StringTest("TLS1_2"), + EnforceHTTPS: types.BoolTest(true), + PublicNetworkAccess: types.BoolTest(false), + NetworkRules: []storage.NetworkRule{{ + Bypass: []types.StringValue{ + types.StringTest("Logging"), + types.StringTest("Metrics"), + }, + AllowByDefault: types.BoolTest(true), + }}, + }}, + } + testutil.AssertDefsecEqual(t, expected, output) }