From a85c563c87a6266c13c236974a1dd7b3887b88d1 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 12 Dec 2023 18:50:08 +0700 Subject: [PATCH] feat(digitalocean): improve AVD-AWS-0012 rule --- .../digitalocean/compute/enforce_https.go | 3 +++ .../digitalocean/compute/enforce_https_test.go | 18 ++++++++++++++++++ go.mod | 2 ++ go.sum | 2 -- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/checks/cloud/digitalocean/compute/enforce_https.go b/checks/cloud/digitalocean/compute/enforce_https.go index 7c03108c..ad7e7385 100755 --- a/checks/cloud/digitalocean/compute/enforce_https.go +++ b/checks/cloud/digitalocean/compute/enforce_https.go @@ -33,6 +33,9 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning }, func(s *state.State) (results scan.Results) { for _, lb := range s.DigitalOcean.Compute.LoadBalancers { + if lb.RedirectHttpToHttps.IsTrue() { + continue + } for _, rule := range lb.ForwardingRules { if rule.EntryProtocol.EqualTo("http") { results.Add( diff --git a/checks/cloud/digitalocean/compute/enforce_https_test.go b/checks/cloud/digitalocean/compute/enforce_https_test.go index 6ec4fe61..4e0f88a6 100644 --- a/checks/cloud/digitalocean/compute/enforce_https_test.go +++ b/checks/cloud/digitalocean/compute/enforce_https_test.go @@ -53,6 +53,24 @@ func TestCheckEnforceHttps(t *testing.T) { }, expected: false, }, + { + name: "Load balancer forwarding rule using HTTP, but HTTP redirection to HTTPS is enabled", + input: compute.Compute{ + LoadBalancers: []compute.LoadBalancer{ + { + Metadata: defsecTypes.NewTestMetadata(), + RedirectHttpToHttps: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), + ForwardingRules: []compute.ForwardingRule{ + { + Metadata: defsecTypes.NewTestMetadata(), + EntryProtocol: defsecTypes.String("http", defsecTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + expected: false, + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { diff --git a/go.mod b/go.mod index f7774b46..cb8d91a9 100644 --- a/go.mod +++ b/go.mod @@ -88,3 +88,5 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) + +replace github.com/aquasecurity/defsec => /Users/nikita/projects/defsec diff --git a/go.sum b/go.sum index e63fb92a..d9d3d0c5 100644 --- a/go.sum +++ b/go.sum @@ -22,8 +22,6 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= -github.com/aquasecurity/defsec v0.93.2-0.20231209043331-6c7b9811ed2a h1:88tMKS0nhQwhcouVkqDNgOZ40qvPodpWE/uOqgHBOnw= -github.com/aquasecurity/defsec v0.93.2-0.20231209043331-6c7b9811ed2a/go.mod h1:NBF6hvbQSc4s/WCHdKV5sNNxLl258M2OiIFoUfgEn/k= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=