docs(queries): update queries catalog

Checkmarx · Feb 28, 2023 · 03a5f44 · 03a5f44
1 parent 124f91d
commit 03a5f44
Show file tree

Hide file tree

Showing 13 changed files with 2,866 additions and 2,862 deletions.
diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md
diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md
diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md
diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md
diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md
@@ -1,17 +1,27 @@
 ## Crossplane Queries List
 This page contains all queries from Crossplane.
 
+### AZURE
+Bellow are listed queries related with Crossplane AZURE:
+
+
+
+|            Query             |Severity|Category|Description|Help|
+|------------------------------|--------|--------|-----------|----|
+|AKS RBAC Disabled<br/><sup><sub>b2418936-cd47-4ea2-8346-623c0bdb87bd</sub></sup>|<span style="color:#C60">Medium</span>|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|<a href="https://doc.crds.dev/github.com/crossplane/provider-azure/compute.azure.crossplane.io/AKSCluster/[email protected]#spec-disableRBAC">Documentation</a><br/>|
+|Redis Cache Allows Non SSL Connections<br/><sup><sub>6c7cfec3-c686-4ed2-bf58-a1ec054b63fc</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Redis Cache resource should not allow non-SSL connections.|<a href="https://doc.crds.dev/github.com/crossplane/provider-azure/cache.azure.crossplane.io/Redis/[email protected]#spec-forProvider-enableNonSslPort">Documentation</a><br/>|
+
 ### AWS
-Below are listed queries related with Crossplane AWS:
+Bellow are listed queries related with Crossplane AWS:
 
 
 
 |            Query             |Severity|Category|Description|Help|
 |------------------------------|--------|--------|-----------|----|
 |EFS Without KMS<br/><sup><sub>bdecd6db-2600-47dd-a10c-72c97cf17ae9</sub></sup>|<span style="color:#C00">High</span>|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/[email protected]#spec-forProvider-kmsKeyID">Documentation</a><br/>|
-|DB Instance Storage Not Encrypted<br/><sup><sub>e50eb68a-a4af-4048-8bbe-8ec324421469</sub></sup>|<span style="color:#C00">High</span>|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/[email protected]#spec-forProvider-storageEncrypted">Documentation</a><br/>|
-|ELB Using Weak Ciphers<br/><sup><sub>a507daa5-0795-4380-960b-dd7bb7c56661</sub></sup>|<span style="color:#C00">High</span>|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/[email protected]#spec-forProvider-sslPolicy">Documentation</a><br/>|
 |EFS Not Encrypted<br/><sup><sub>72840c35-3876-48be-900d-f21b2f0c2ea1</sub></sup>|<span style="color:#C00">High</span>|Encryption|Elastic File System (EFS) must be encrypted|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/[email protected]#spec-forProvider-encrypted">Documentation</a><br/>|
+|ELB Using Weak Ciphers<br/><sup><sub>a507daa5-0795-4380-960b-dd7bb7c56661</sub></sup>|<span style="color:#C00">High</span>|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/[email protected]#spec-forProvider-sslPolicy">Documentation</a><br/>|
+|DB Instance Storage Not Encrypted<br/><sup><sub>e50eb68a-a4af-4048-8bbe-8ec324421469</sub></sup>|<span style="color:#C00">High</span>|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/[email protected]#spec-forProvider-storageEncrypted">Documentation</a><br/>|
 |CloudFront Without Minimum Protocol TLS 1.2<br/><sup><sub>255b0fcc-9f82-41fe-9229-01b163e3376b</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion">Documentation</a><br/>|
 |DB Security Group Has Public Interface<br/><sup><sub>dd667399-8d9d-4a8d-bbb4-e49ab53b2f52</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|The CIDR IP should not be a public interface|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/[email protected]#spec-forProvider-ingress-ipRanges-cidrIp">Documentation</a><br/>|
 |Neptune Database Cluster Encryption Disabled<br/><sup><sub>83bf5aca-138a-498e-b9cd-ad5bc5e117b4</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Neptune database cluster storage should have encryption enabled|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/[email protected]#spec-forProvider-storageEncrypted">Documentation</a><br/>|
@@ -21,21 +31,11 @@ Below are listed queries related with Crossplane AWS:
 |CloudFront Without WAF<br/><sup><sub>6d19ce0f-b3d8-4128-ac3d-1064e0f00494</sub></sup>|<span style="color:#CC0">Low</span>|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-webACLID">Documentation</a><br/>|
 
 ### GCP
-Below are listed queries related with Crossplane GCP:
+Bellow are listed queries related with Crossplane GCP:
 
 
 
 |            Query             |Severity|Category|Description|Help|
 |------------------------------|--------|--------|-----------|----|
 |Cloud Storage Bucket Logging Not Enabled<br/><sup><sub>6c2d627c-de0f-45fb-b33d-dad9bffbb421</sub></sup>|<span style="color:#C00">High</span>|Observability|Cloud storage bucket should have logging enabled|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/[email protected]#spec-logging">Documentation</a><br/>|
 |Google Container Node Pool Auto Repair Disabled<br/><sup><sub>b4f65d13-a609-4dc1-af7c-63d2e08bffe9</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/[email protected]#spec-forProvider-management-autoRepair">Documentation</a><br/>|
-
-### AZURE
-Below are listed queries related with Crossplane AZURE:
-
-
-
-|            Query             |Severity|Category|Description|Help|
-|------------------------------|--------|--------|-----------|----|
-|AKS RBAC Disabled<br/><sup><sub>b2418936-cd47-4ea2-8346-623c0bdb87bd</sub></sup>|<span style="color:#C60">Medium</span>|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|<a href="https://doc.crds.dev/github.com/crossplane/provider-azure/compute.azure.crossplane.io/AKSCluster/[email protected]#spec-disableRBAC">Documentation</a><br/>|
-|Redis Cache Allows Non SSL Connections<br/><sup><sub>6c7cfec3-c686-4ed2-bf58-a1ec054b63fc</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Redis Cache resource should not allow non-SSL connections.|<a href="https://doc.crds.dev/github.com/crossplane/provider-azure/cache.azure.crossplane.io/Redis/[email protected]#spec-forProvider-enableNonSslPort">Documentation</a><br/>|
diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md
@@ -3,24 +3,24 @@ This page contains all queries from DockerCompose.
 
 |            Query             |Severity|Category|Description|Help|
 |------------------------------|--------|--------|-----------|----|
-|Volume Has Sensitive Host Directory<br/><sup><sub>1c1325ff-831d-43a1-973e-839ae57dfcc0</sub></sup>|<span style="color:#C00">High</span>|Build Process|Container has sensitive host directory mounted as a volume|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference">Documentation</a><br/>|
 |Volume Mounted In Multiple Containers<br/><sup><sub>baa452f0-1f21-4a25-ace5-844e7a5f410d</sub></sup>|<span style="color:#C00">High</span>|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes">Documentation</a><br/>|
+|Volume Has Sensitive Host Directory<br/><sup><sub>1c1325ff-831d-43a1-973e-839ae57dfcc0</sub></sup>|<span style="color:#C00">High</span>|Build Process|Container has sensitive host directory mounted as a volume|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference">Documentation</a><br/>|
 |Docker Socket Mounted In Container<br/><sup><sub>d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b</sub></sup>|<span style="color:#C00">High</span>|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|<a href="https://docs.docker.com/compose/compose-file/#volumes">Documentation</a><br/>|
 |No New Privileges Not Set<br/><sup><sub>27fcc7d6-c49b-46e0-98f1-6c082a6a2750</sub></sup>|<span style="color:#C00">High</span>|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|<a href="https://docs.docker.com/engine/reference/run/#security-configuration">Documentation</a><br/>|
 |Privileged Containers Enabled<br/><sup><sub>ae5b6871-7f45-42e0-bb4c-ab300c4d2026</sub></sup>|<span style="color:#C00">High</span>|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir">Documentation</a><br/>|
 |Healthcheck Not Set<br/><sup><sub>698ed579-b239-4f8f-a388-baa4bcb13ef8</sub></sup>|<span style="color:#C60">Medium</span>|Availability|Check containers periodically to see if they are running properly.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck">Documentation</a><br/>|
 |Restart Policy On Failure Not Set To 5<br/><sup><sub>2fc99041-ddad-49d5-853f-e35e70a48391</sub></sup>|<span style="color:#C60">Medium</span>|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|<a href="https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy">Documentation</a><br/>|
 |Cgroup Not Default<br/><sup><sub>4d9f44c6-2f4a-4317-9bb5-267adbea0232</sub></sup>|<span style="color:#C60">Medium</span>|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#cgroup_parent">Documentation</a><br/>|
-|Privileged Ports Mapped In Container<br/><sup><sub>bc2908f3-f73c-40a9-8793-c1b7d5544f79</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop">Documentation</a><br/>|
-|Networks Not Set<br/><sup><sub>ce14a68b-1668-41a0-ab7d-facd9f784742</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#networks">Documentation</a><br/>|
 |Container Traffic Not Bound To Host Interface<br/><sup><sub>451d79dc-0588-476a-ad03-3c7f0320abb3</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#ports">Documentation</a><br/>|
-|Security Opt Not Set<br/><sup><sub>610e266e-6c12-4bca-9925-1ed0cd29742b</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|Attribute 'security_opt' should be defined.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt">Documentation</a><br/>|
-|Shared Host User Namespace<br/><sup><sub>8af7162d-6c98-482f-868e-0d33fb675ca8</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|The host's user namespace should not be shared.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode">Documentation</a><br/>|
+|Networks Not Set<br/><sup><sub>ce14a68b-1668-41a0-ab7d-facd9f784742</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#networks">Documentation</a><br/>|
+|Privileged Ports Mapped In Container<br/><sup><sub>bc2908f3-f73c-40a9-8793-c1b7d5544f79</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop">Documentation</a><br/>|
 |Host Namespace is Shared<br/><sup><sub>4f31dd9f-2cc3-4751-9b53-67e4af83dac0</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|The hosts process namespace should not be shared by containers|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#pid">Documentation</a><br/>|
+|Default Seccomp Profile Disabled<br/><sup><sub>404fde2c-bc4b-4371-9747-7054132ac953</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt">Documentation</a><br/>|
+|Pids Limit Not Set<br/><sup><sub>221e0658-cb2a-44e3-b08a-db96a341d6fa</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|'pids_limit' should be set and different than -1|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir">Documentation</a><br/>|
+|Security Opt Not Set<br/><sup><sub>610e266e-6c12-4bca-9925-1ed0cd29742b</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|Attribute 'security_opt' should be defined.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt">Documentation</a><br/>|
 |Shared Host Network Namespace<br/><sup><sub>071a71ff-f868-47a4-ac0b-3c59e4ab5443</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|Container should not share the host network namespace|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode">Documentation</a><br/>|
+|Shared Host User Namespace<br/><sup><sub>8af7162d-6c98-482f-868e-0d33fb675ca8</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|The host's user namespace should not be shared.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode">Documentation</a><br/>|
 |Memory Not Limited<br/><sup><sub>bb9ac4f7-e13b-423d-a010-c74a1bfbe492</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#resources">Documentation</a><br/>|
 |Shared Host IPC Namespace<br/><sup><sub>baa3890f-bed7-46f5-ab8f-1da8fc91c729</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|Container should not share the host IPC namespace|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir">Documentation</a><br/>|
-|Default Seccomp Profile Disabled<br/><sup><sub>404fde2c-bc4b-4371-9747-7054132ac953</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt">Documentation</a><br/>|
-|Pids Limit Not Set<br/><sup><sub>221e0658-cb2a-44e3-b08a-db96a341d6fa</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|'pids_limit' should be set and different than -1|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir">Documentation</a><br/>|
-|Container Capabilities Unrestricted<br/><sup><sub>ce76b7d0-9e77-464d-b86f-c5c48e03e22d</sub></sup>|<span style="color:#CC0">Low</span>|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop">Documentation</a><br/>|
 |Cpus Not Limited<br/><sup><sub>6b610c50-99fb-4ef0-a5f3-e312fd945bc3</sub></sup>|<span style="color:#CC0">Low</span>|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#resources">Documentation</a><br/>|
+|Container Capabilities Unrestricted<br/><sup><sub>ce76b7d0-9e77-464d-b86f-c5c48e03e22d</sub></sup>|<span style="color:#CC0">Low</span>|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|<a href="https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop">Documentation</a><br/>|