Create rule S4423: add language AzureResourceManager (#1835)

[Specification ticket](https://sonarsource.atlassian.net/browse/SONARIAC-755) [Implementation ticket](https://sonarsource.atlassian.net/browse/SONARIAC-781) [RSPEC Preview](https://sonarsource.github.io/rspec/#/rspec/S4423/azureresourcemanager) Bicep PR for S4423: #1879
SonarSource · May 11, 2023 · 42f4fbd · 42f4fbd
1 parent 40d09d2
commit 42f4fbd
Show file tree

Hide file tree

Showing 4 changed files with 147 additions and 0 deletions.
diff --git a/rules/S4423/azureresourcemanager/highlighting.adoc b/rules/S4423/azureresourcemanager/highlighting.adoc
@@ -0,0 +1,2 @@
+* Highlight `minimumTlsVersion`/`minimalTlsVersion` if it is specified but has the wrong value
+* Highlight resource if `minimumTlsVersion`/`minimalTlsVersion` is not specified at all
diff --git a/rules/S4423/azureresourcemanager/message.adoc b/rules/S4423/azureresourcemanager/message.adoc
@@ -0,0 +1,5 @@
+* If `minimumTlsVersion`/`minimalTlsVersion` is specified but has the wrong value
+** Change this code to disable support of older TLS versions.
+
+* If `minimumTlsVersion`/`minimalTlsVersion` is not specified at all
+** Set `minimumTlsVersion`/`minimalTlsVersion` to disable support of older TLS versions.
diff --git a/rules/S4423/azureresourcemanager/metadata.json b/rules/S4423/azureresourcemanager/metadata.json
@@ -0,0 +1,32 @@
+{
+    "tags": [
+      "azure",
+      "cwe",
+      "privacy"
+    ],
+  "securityStandards": {
+    "CWE": [
+      327,
+      326,
+      295
+    ],
+    "OWASP": [
+    ],
+    "OWASP Mobile": [
+    ],
+    "MASVS": [
+    ],
+    "OWASP Top 10 2021": [
+    ],
+    "PCI DSS 3.2": [
+      "4.1",
+      "6.5.4"
+    ],
+    "PCI DSS 4.0": [
+      "4.2.1",
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+    ]
+  }
+}
diff --git a/rules/S4423/azureresourcemanager/rule.adoc b/rules/S4423/azureresourcemanager/rule.adoc
@@ -0,0 +1,108 @@
+== Why is this an issue?
+
+include::../description.adoc[]
+
+=== Noncompliant code example
+
+For https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts[Azure Storage accounts], TLS 1.0 and 1.1 are accepted by default.
+
+[source,json,diff-id=2,diff-type=noncompliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2022-09-01",
+      "name": "example",
+      "properties": {
+        "minimumTlsVersion": "TLS1_0"
+      }
+    }
+  ]
+}
+----
+
+For https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers[Azure Database for MySQL servers], https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers[Azure Database for PostgreSQL servers], and https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformariadb/servers[Azure Database for MariaDB servers], there is no minimal TLS version enforced by default.
+
+[source,json,diff-id=4,diff-type=noncompliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforMySQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "example",
+      "properties": {
+        "minimalTlsVersion": "TLS1_0"
+      }
+    }
+  ]
+}
+----
+
+== Compliant Solution
+
+For https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts[Azure Storage accounts]:
+
+[source,json,diff-id=2,diff-type=compliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2022-09-01",
+      "name": "example",
+      "properties": {
+        "minimumTlsVersion": "TLS1_2"
+      }
+    }
+  ]
+}
+----
+
+For https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers[Azure Database for MySQL servers], https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers[Azure Database for PostgreSQL servers], and https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformariadb/servers[Azure Database for MariaDB servers]:
+
+[source,json,diff-id=4,diff-type=compliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforMySQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "example",
+      "properties": {
+        "minimalTlsVersion": "TLS1_2"
+      }
+    }
+  ]
+}
+----
+
+include::../see.adoc[]
+
+* https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings#minimal-tls-version[Microsoft Learn] - Azure SQL - Minimal TLS version
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::message.adoc[]
+
+include::highlighting.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+endif::env-github,rspecator-view[]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		* Highlight `minimumTlsVersion`/`minimalTlsVersion` if it is specified but has the wrong value
		* Highlight resource if `minimumTlsVersion`/`minimalTlsVersion` is not specified at all