From 0f571bc674f41f5532161aeae485b815cf10e7cf Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Thu, 15 Aug 2024 20:32:50 +0600 Subject: [PATCH] fix(misconf): change default TLS values for the Azure storage account (#7345) Signed-off-by: nikpivkin --- pkg/iac/adapters/arm/storage/adapt.go | 2 +- pkg/iac/adapters/arm/storage/adapt_test.go | 2 +- pkg/iac/adapters/terraform/azure/storage/adapt.go | 6 ++++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/pkg/iac/adapters/arm/storage/adapt.go b/pkg/iac/adapters/arm/storage/adapt.go index 1b10ebbe9ad8..018949e24e10 100644 --- a/pkg/iac/adapters/arm/storage/adapt.go +++ b/pkg/iac/adapters/arm/storage/adapt.go @@ -59,7 +59,7 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account { Metadata: resource.Properties.GetMetadata(), EnableLogging: types.BoolDefault(false, resource.Properties.GetMetadata()), }, - MinimumTLSVersion: resource.Properties.GetMapValue("minimumTlsVersion").AsStringValue("TLS1_0", resource.Properties.GetMetadata()), + MinimumTLSVersion: resource.Properties.GetMapValue("minimumTlsVersion").AsStringValue("", resource.Properties.GetMetadata()), Queues: queues, } accounts = append(accounts, account) diff --git a/pkg/iac/adapters/arm/storage/adapt_test.go b/pkg/iac/adapters/arm/storage/adapt_test.go index d1e124e2449e..f4fd81f47ad2 100644 --- a/pkg/iac/adapters/arm/storage/adapt_test.go +++ b/pkg/iac/adapters/arm/storage/adapt_test.go @@ -26,7 +26,7 @@ func Test_AdaptStorageDefaults(t *testing.T) { require.Len(t, output.Accounts, 1) account := output.Accounts[0] - assert.Equal(t, "TLS1_0", account.MinimumTLSVersion.Value()) + assert.Equal(t, "", account.MinimumTLSVersion.Value()) assert.False(t, account.EnforceHTTPS.Value()) } diff --git a/pkg/iac/adapters/terraform/azure/storage/adapt.go b/pkg/iac/adapters/terraform/azure/storage/adapt.go index edc5f0029be7..6a51cf1fca2b 100644 --- a/pkg/iac/adapters/terraform/azure/storage/adapt.go +++ b/pkg/iac/adapters/terraform/azure/storage/adapt.go @@ -6,6 +6,8 @@ import ( iacTypes "github.com/aquasecurity/trivy/pkg/iac/types" ) +const minimumTlsVersionOneTwo = "TLS1_2" + func Adapt(modules terraform.Modules) storage.Storage { accounts, containers, networkRules := adaptAccounts(modules) @@ -106,7 +108,7 @@ func adaptAccount(resource *terraform.Block) storage.Account { Metadata: resource.GetMetadata(), EnableLogging: iacTypes.BoolDefault(false, resource.GetMetadata()), }, - MinimumTLSVersion: iacTypes.StringDefault("TLS1_2", resource.GetMetadata()), + MinimumTLSVersion: iacTypes.StringDefault(minimumTlsVersionOneTwo, resource.GetMetadata()), } networkRulesBlocks := resource.GetBlocks("network_rules") @@ -127,7 +129,7 @@ func adaptAccount(resource *terraform.Block) storage.Account { } minTLSVersionAttr := resource.GetAttribute("min_tls_version") - account.MinimumTLSVersion = minTLSVersionAttr.AsStringValueOrDefault("TLS1_0", resource) + account.MinimumTLSVersion = minTLSVersionAttr.AsStringValueOrDefault(minimumTlsVersionOneTwo, resource) return account }