diff --git a/rules/S4423/azureresourcemanager/highlighting.adoc b/rules/S4423/azureresourcemanager/highlighting.adoc new file mode 100644 index 00000000000..5cdedd790d5 --- /dev/null +++ b/rules/S4423/azureresourcemanager/highlighting.adoc @@ -0,0 +1,2 @@ +* Highlight `minimumTlsVersion`/`minimalTlsVersion` if it is specified but has the wrong value +* Highlight resource if `minimumTlsVersion`/`minimalTlsVersion` is not specified at all \ No newline at end of file diff --git a/rules/S4423/azureresourcemanager/message.adoc b/rules/S4423/azureresourcemanager/message.adoc new file mode 100644 index 00000000000..70f93ba020c --- /dev/null +++ b/rules/S4423/azureresourcemanager/message.adoc @@ -0,0 +1,5 @@ +* If `minimumTlsVersion`/`minimalTlsVersion` is specified but has the wrong value +** Change this code to disable support of older TLS versions. + +* If `minimumTlsVersion`/`minimalTlsVersion` is not specified at all +** Set `minimumTlsVersion`/`minimalTlsVersion` to disable support of older TLS versions. diff --git a/rules/S4423/azureresourcemanager/metadata.json b/rules/S4423/azureresourcemanager/metadata.json new file mode 100644 index 00000000000..03df4cf69d7 --- /dev/null +++ b/rules/S4423/azureresourcemanager/metadata.json @@ -0,0 +1,32 @@ +{ + "tags": [ + "azure", + "cwe", + "privacy" + ], + "securityStandards": { + "CWE": [ + 327, + 326, + 295 + ], + "OWASP": [ + ], + "OWASP Mobile": [ + ], + "MASVS": [ + ], + "OWASP Top 10 2021": [ + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + ] + } +} diff --git a/rules/S4423/azureresourcemanager/rule.adoc b/rules/S4423/azureresourcemanager/rule.adoc new file mode 100644 index 00000000000..3db3c9d3ad0 --- /dev/null +++ b/rules/S4423/azureresourcemanager/rule.adoc @@ -0,0 +1,108 @@ +== Why is this an issue? + +include::../description.adoc[] + +=== Noncompliant code example + +For https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts[Azure Storage accounts], TLS 1.0 and 1.1 are accepted by default. + +[source,json,diff-id=2,diff-type=noncompliant] +---- +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "example", + "properties": { + "minimumTlsVersion": "TLS1_0" + } + } + ] +} +---- + +For https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers[Azure Database for MySQL servers], https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers[Azure Database for PostgreSQL servers], and https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformariadb/servers[Azure Database for MariaDB servers], there is no minimal TLS version enforced by default. + +[source,json,diff-id=4,diff-type=noncompliant] +---- +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "example", + "properties": { + "minimalTlsVersion": "TLS1_0" + } + } + ] +} +---- + +== Compliant Solution + +For https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts[Azure Storage accounts]: + +[source,json,diff-id=2,diff-type=compliant] +---- +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "example", + "properties": { + "minimumTlsVersion": "TLS1_2" + } + } + ] +} +---- + +For https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers[Azure Database for MySQL servers], https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers[Azure Database for PostgreSQL servers], and https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformariadb/servers[Azure Database for MariaDB servers]: + +[source,json,diff-id=4,diff-type=compliant] +---- +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "example", + "properties": { + "minimalTlsVersion": "TLS1_2" + } + } + ] +} +---- + +include::../see.adoc[] + +* https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings#minimal-tls-version[Microsoft Learn] - Azure SQL - Minimal TLS version + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::message.adoc[] + +include::highlighting.adoc[] + +''' +== Comments And Links +(visible only on this page) + +include::../comments-and-links.adoc[] +endif::env-github,rspecator-view[]