Modify Rule S6382: Fix outdated properties (APPSEC-773) (#2514)

* Fix outdated property * Swap Web Apps for Containers and App Service
SonarSource · Sep 11, 2024 · a3a2e69 · a3a2e69
1 parent 0e30d8d
commit a3a2e69
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 18 deletions.
diff --git a/rules/S6382/terraform/highlighting.adoc b/rules/S6382/terraform/highlighting.adoc
@@ -3,4 +3,4 @@
 * If one (out of one) assignment is missing: Highlight the resource
 * If an assignment is security-sensitive: Highlight the assignment
 * For `linux_web_app` and `windows_web_app`:
-** If both assignments are present and security-sensitive: Highlight `client_cert_enabled = false`
+** If both assignments are present and security-sensitive: Highlight `client_certificate_enabled = false`
diff --git a/rules/S6382/terraform/message.adoc b/rules/S6382/terraform/message.adoc
@@ -6,16 +6,20 @@ For these resources:
 * `app_service`
 * `data_factory_linked_service_sftp`
 * `data_factory_linked_service_web`
-* `linux_web_app` 
-* `windows_web_app` (if both parameters are non-compliant, flag `client_cert_enabled` first)
+* `linux_web_app`
+* `windows_web_app` (if both parameters are non-compliant, flag `client_certificate_enabled` first)
 
 These messages apply:
 
 * If an assignment is missing: Omitting {property_name} disables certificate-based authentication. Make sure it is safe here.
 * If the assignment is security-sensitive: Make sure that disabling certificate-based authentication is safe here.
 
-* For `function_app` and `logic_app_standard`:
+* For `function_app`:
 ** Omitting `client_cert_mode` makes certificate-based authentication optional. Make sure it is safe here.
 ** Make sure that setting certificate-based authentication as optional is safe here.
 
+* For `logic_app_standard`:
+** Omitting `client_certificate_mode` makes certificate-based authentication optional. Make sure it is safe here.
+** Make sure that setting certificate-based authentication as optional is safe here.
+
 Make sure that disabling certificate-based authentication is safe here.
diff --git a/rules/S6382/terraform/rule.adoc b/rules/S6382/terraform/rule.adoc
@@ -6,13 +6,17 @@ include::../common/recommended.adoc[]
 
 == Sensitive Code Example
 
-For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
+For https://azure.microsoft.com/en-us/services/app-service/containers/[Linux and Windows Web Apps]:
 
 [source,terraform,diff-id=1,diff-type=noncompliant]
 ----
-resource "azurerm_app_service" "example" {
+resource "azurerm_linux_web_app" "example" {
   client_cert_enabled = false # Sensitive
 }
+resource "azurerm_linux_web_app" "example2" {
+  client_certificate_enabled = true
+  client_certificate_mode = "Optional" # Sensitive
+}
 ----
 
 For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]:
@@ -43,27 +47,24 @@ resource "azurerm_api_management" "example" {
 }
 ----
 
-For https://azure.microsoft.com/en-us/services/app-service/containers/[Linux and Windows Web Apps]:
+For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
 
 [source,terraform,diff-id=5,diff-type=noncompliant]
 ----
-resource "azurerm_linux_web_app" "example" {
+resource "azurerm_app_service" "example" {
   client_cert_enabled = false # Sensitive
 }
-resource "azurerm_linux_web_app" "exemple2" {
-  client_cert_enabled = true
-  client_cert_mode = "Optional" # Sensitive
-}
 ----
 
 == Compliant Solution
 
-For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
+For https://azure.microsoft.com/en-us/services/app-service/containers/[Linux and Windows Web Apps]:
 
 [source,terraform,diff-id=1,diff-type=compliant]
 ----
-resource "azurerm_app_service" "example" {
-  client_cert_enabled = true
+resource "azurerm_linux_web_app" "example" {
+  client_certificate_enabled = true
+  client_certificate_mode = "Required"
 }
 ----
 
@@ -95,13 +96,12 @@ resource "azurerm_api_management" "example" {
 }
 ----
 
-For https://azure.microsoft.com/en-us/services/app-service/containers/[Linux and Windows Web Apps]:
+For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
 
 [source,terraform,diff-id=5,diff-type=compliant]
 ----
-resource "azurerm_linux_web_app" "exemple" {
+resource "azurerm_app_service" "example" {
   client_cert_enabled = true
-  client_cert_mode = "Required"
 }
 ----