From 42f4fbdd5a122f584d956594180ae7097cfecd03 Mon Sep 17 00:00:00 2001
From: Egon Okerman <egon.okerman@sonarsource.com>
Date: Thu, 11 May 2023 17:14:01 +0200
Subject: [PATCH] Create rule S4423: add language AzureResourceManager (#1835)

[Specification
ticket](https://sonarsource.atlassian.net/browse/SONARIAC-755)
[Implementation
ticket](https://sonarsource.atlassian.net/browse/SONARIAC-781)
[RSPEC
Preview](https://sonarsource.github.io/rspec/#/rspec/S4423/azureresourcemanager)

Bicep PR for S4423: #1879
---
 .../azureresourcemanager/highlighting.adoc    |   2 +
 rules/S4423/azureresourcemanager/message.adoc |   5 +
 .../S4423/azureresourcemanager/metadata.json  |  32 ++++++
 rules/S4423/azureresourcemanager/rule.adoc    | 108 ++++++++++++++++++
 4 files changed, 147 insertions(+)
 create mode 100644 rules/S4423/azureresourcemanager/highlighting.adoc
 create mode 100644 rules/S4423/azureresourcemanager/message.adoc
 create mode 100644 rules/S4423/azureresourcemanager/metadata.json
 create mode 100644 rules/S4423/azureresourcemanager/rule.adoc

diff --git a/rules/S4423/azureresourcemanager/highlighting.adoc b/rules/S4423/azureresourcemanager/highlighting.adoc
new file mode 100644
index 00000000000..5cdedd790d5
--- /dev/null
+++ b/rules/S4423/azureresourcemanager/highlighting.adoc
@@ -0,0 +1,2 @@
+* Highlight `minimumTlsVersion`/`minimalTlsVersion` if it is specified but has the wrong value
+* Highlight resource if `minimumTlsVersion`/`minimalTlsVersion` is not specified at all
\ No newline at end of file
diff --git a/rules/S4423/azureresourcemanager/message.adoc b/rules/S4423/azureresourcemanager/message.adoc
new file mode 100644
index 00000000000..70f93ba020c
--- /dev/null
+++ b/rules/S4423/azureresourcemanager/message.adoc
@@ -0,0 +1,5 @@
+* If `minimumTlsVersion`/`minimalTlsVersion` is specified but has the wrong value
+** Change this code to disable support of older TLS versions.
+
+* If `minimumTlsVersion`/`minimalTlsVersion` is not specified at all
+** Set `minimumTlsVersion`/`minimalTlsVersion` to disable support of older TLS versions.
diff --git a/rules/S4423/azureresourcemanager/metadata.json b/rules/S4423/azureresourcemanager/metadata.json
new file mode 100644
index 00000000000..03df4cf69d7
--- /dev/null
+++ b/rules/S4423/azureresourcemanager/metadata.json
@@ -0,0 +1,32 @@
+{
+    "tags": [
+      "azure",
+      "cwe",
+      "privacy"
+    ],
+  "securityStandards": {
+    "CWE": [
+      327,
+      326,
+      295
+    ],
+    "OWASP": [
+    ],
+    "OWASP Mobile": [
+    ],
+    "MASVS": [
+    ],
+    "OWASP Top 10 2021": [
+    ],
+    "PCI DSS 3.2": [
+      "4.1",
+      "6.5.4"
+    ],
+    "PCI DSS 4.0": [
+      "4.2.1",
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+    ]
+  }
+}
diff --git a/rules/S4423/azureresourcemanager/rule.adoc b/rules/S4423/azureresourcemanager/rule.adoc
new file mode 100644
index 00000000000..3db3c9d3ad0
--- /dev/null
+++ b/rules/S4423/azureresourcemanager/rule.adoc
@@ -0,0 +1,108 @@
+== Why is this an issue?
+
+include::../description.adoc[]
+
+=== Noncompliant code example
+
+For https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts[Azure Storage accounts], TLS 1.0 and 1.1 are accepted by default.
+
+[source,json,diff-id=2,diff-type=noncompliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2022-09-01",
+      "name": "example",
+      "properties": {
+        "minimumTlsVersion": "TLS1_0"
+      }
+    }
+  ]
+}
+----
+
+For https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers[Azure Database for MySQL servers], https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers[Azure Database for PostgreSQL servers], and https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformariadb/servers[Azure Database for MariaDB servers], there is no minimal TLS version enforced by default.
+
+[source,json,diff-id=4,diff-type=noncompliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforMySQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "example",
+      "properties": {
+        "minimalTlsVersion": "TLS1_0"
+      }
+    }
+  ]
+}
+----
+
+== Compliant Solution
+
+For https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts[Azure Storage accounts]:
+
+[source,json,diff-id=2,diff-type=compliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2022-09-01",
+      "name": "example",
+      "properties": {
+        "minimumTlsVersion": "TLS1_2"
+      }
+    }
+  ]
+}
+----
+
+For https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers[Azure Database for MySQL servers], https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers[Azure Database for PostgreSQL servers], and https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformariadb/servers[Azure Database for MariaDB servers]:
+
+[source,json,diff-id=4,diff-type=compliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforMySQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "example",
+      "properties": {
+        "minimalTlsVersion": "TLS1_2"
+      }
+    }
+  ]
+}
+----
+
+include::../see.adoc[]
+
+* https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings#minimal-tls-version[Microsoft Learn] - Azure SQL - Minimal TLS version
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::message.adoc[]
+
+include::highlighting.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+endif::env-github,rspecator-view[]