ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4423/terraform/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

114 lines
3.2 KiB
Plaintext
Raw Blame History

include::../summary.adoc[]
== Why is this an issue?
include::../rationale.adoc[]
include::../impact.adoc[]
// How to fix it section
include::how-to-fix-it/aws-api-gateway.adoc[]
include::how-to-fix-it/aws-opensearch.adoc[]
include::how-to-fix-it/azure-mssql.adoc[]
include::how-to-fix-it/gcp-lb.adoc[]
== Resources
include::../common/resources/docs.adoc[]
include::../common/resources/articles.adoc[]
include::../common/resources/presentations.adoc[]
include::../common/resources/standards_iac.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
==== AWS
For `aws_elasticsearch_domain`:
* If `tls_security_policy` is specified but has the wrong value
** Change this code to disable support of older TLS versions.
* If `domain_endpoint_options` is specified but does not contain `tls_security_policy`
** Set "tls_security_policy" to disable support of older TLS versions.
* If resource if `domain_endpoint_options` is not specified at all
** Set "domain_endpoint_options.tls_security_policy" to disable support of older TLS versions.
For `aws_api_gateway_domain_name`:
* If `security_policy` is specified but has the wrong value
** Change this code to disable support of older TLS versions.
* If resource if `security_policy` is not specified at all
** Set "security_policy" to disable support of older TLS versions.
For `aws_apigatewayv2_domain_name`:
* If `security_policy` is specified but has the wrong value
** Change this code to disable support of older TLS versions.
* If `domain_name_configuration` is specified but does not contain `security_policy`
** Set "security_policy" to disable support of older TLS versions.
* If resource if `domain_name_configuration` is not specified at all
** Set "domain_name_configuration.security_policy" to disable support of older TLS versions.
==== GCP
For `google_compute_ssl_policy`:
* If `min_tls_version` is specified but has the wrong value
** Change this code to disable support of older TLS versions.
* If `min_tls_version` is not specified at all
** Set "min_tls_version" to disable support of older TLS versions.
=== Highlighting
==== AWS
For `aws_elasticsearch_domain`:
* Highlight `tls_security_policy` if it is specified but has the wrong value
* Highlight `domain_endpoint_options` if it is specified but does not contain `tls_security_policy`
* Highlight resource if `domain_endpoint_options` is not specified at all
For `aws_api_gateway_domain_name`:
* Highlight `security_policy` if it is specified but has the wrong value
* Highlight resource if `security_policy` is not specified at all
For `aws_apigatewayv2_domain_name`:
* Highlight `security_policy` if it is specified but has the wrong value
* Highlight `domain_name_configuration` if it is specified but does not contain `security_policy`
* Highlight resource if `domain_name_configuration` is not specified at all
==== GCP
For `google_compute_ssl_policy`:
* Highlight `min_tls_version` if it is specified but has the wrong value
* Highlight resource if `min_tls_version` is not specified at all
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink