From e816bd65676ff55cb4eeddf26b449424e49df977 Mon Sep 17 00:00:00 2001 From: Saurabh Chakraborthy Date: Sat, 18 Nov 2023 17:04:54 +0530 Subject: [PATCH] Modify compliant and non-compliant examples of s3-partial-encrypt-cdk, exposure-of-sensitive-information-cdk. --- .../exposure_of_sensitive_information_cdk.ts | 41 +++++++++++++++++++ .../s3_partial_encrypt_cdk.ts | 38 +++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 src/typescript/detector/high/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk.ts create mode 100644 src/typescript/detector/high/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk.ts diff --git a/src/typescript/detector/high/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk.ts b/src/typescript/detector/high/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk.ts new file mode 100644 index 0000000..f5f4a73 --- /dev/null +++ b/src/typescript/detector/high/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk.ts @@ -0,0 +1,41 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + + +// {fact rule=exposure-of-sensitive-information-cdk@v1.0 defects=1} +import * as cdk from '@aws-cdk/core' +import { CfnSecurityGroupIngress, } from 'aws-cdk-lib/aws-ec2' +import {Stack} from 'aws-cdk-lib/core' + +export class CdkStarterStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + // Noncompliant: 0.0.0.0/0 range is used + new CfnSecurityGroupIngress(Stack, 'rIngress', { + ipProtocol: 'tcp', + cidrIp: '0.0.0.0/0', + }) + } +} +// {/fact} + +// {fact rule=exposure-of-sensitive-information-cdk@v1.0 defects=0} +import * as cdk from '@aws-cdk/core' +import { CfnSecurityGroupIngress, } from 'aws-cdk-lib/aws-ec2' +import {Stack} from 'aws-cdk-lib/core' + +export class CdkStarterStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + // Compliant: 0.0.0.0/0 range is not used + new CfnSecurityGroupIngress(Stack, 'rIngress', { + ipProtocol: 'tcp', + cidrIp: '1.2.3.4/32', + }) + } +} +// {/fact} diff --git a/src/typescript/detector/high/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk.ts b/src/typescript/detector/high/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk.ts new file mode 100644 index 0000000..774ae23 --- /dev/null +++ b/src/typescript/detector/high/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk.ts @@ -0,0 +1,38 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + + +// {fact rule=s3-partial-encrypt-cdk@v1.0 defects=1} +import * as s3 from '@aws-cdk/aws-s3' +import * as cdk from '@aws-cdk/core' + + +export class CdkStarterStack extends cdk.Stack { + + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + // Noncompliant: No encryption specified + const bucket = new s3.Bucket(this, 's3-bucket-bad') + } +} +// {/fact} + +// {fact rule=s3-partial-encrypt-cdk@v1.0 defects=0} +import * as s3 from '@aws-cdk/aws-s3' +import * as cdk from '@aws-cdk/core' + + +export class CdkStarterStack extends cdk.Stack { + + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + // Compliant: S3_MANGAGED encryption being used + const bucket = new s3.Bucket(this, 's3-bucket', + { encryption: s3.BucketEncryption.S3_MANAGED }) + } +} +// {/fact}