update(query): update App Service Not Using Latest TLS Encryption Ver…

…sion query to the latest version (#7302) * Update query.rego Latest TLS Encryption Version is 1.3 * Changes in pull request to include positive and negative tests --------- Co-authored-by: Rui Araújo Gomes <[email protected]>
Checkmarx · Jan 17, 2025 · 4bf94f2 · 4bf94f2
1 parent 2959d7e
commit 4bf94f2
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 9 deletions.
diff --git a/...ts/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego b/...ts/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego
@@ -7,20 +7,20 @@ CxPolicy[result] {
 	app := input.document[i].resource.azurerm_app_service[name]
 
 	is_number(app.site_config.min_tls_version)
-	app.site_config.min_tls_version != 1.2
+	app.site_config.min_tls_version != 1.3
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "azurerm_app_service",
 		"resourceName": tf_lib.get_resource_name(app, name),
 		"searchKey": sprintf("azurerm_app_service[%s].site_config.min_tls_version", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' should be set to '1.2'", [name]),
-		"keyActualValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' is not set to '1.2'", [name]),
+		"keyExpectedValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' should be set to '1.3'", [name]),
+		"keyActualValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' is not set to '1.3'", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "min_tls_version"], []),
 		"remediation": json.marshal({
 			"before": sprintf("%.1f", [app.site_config.min_tls_version]),
-			"after": "1.2"
+			"after": "1.3"
 		}),
 		"remediationType": "replacement",
 	}
@@ -30,20 +30,20 @@ CxPolicy[result] {
 	app := input.document[i].resource.azurerm_app_service[name]
 
 	not is_number(app.site_config.min_tls_version)
-	app.site_config.min_tls_version != "1.2"
+	app.site_config.min_tls_version != "1.3"
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "azurerm_app_service",
 		"resourceName": tf_lib.get_resource_name(app, name),
 		"searchKey": sprintf("azurerm_app_service[%s].site_config.min_tls_version", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' should be set to '1.2'", [name]),
-		"keyActualValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' is not set to '1.2'", [name]),
+		"keyExpectedValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' should be set to '1.3'", [name]),
+		"keyActualValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' is not set to '1.3'", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "min_tls_version"], []),
 		"remediation": json.marshal({
 			"before": sprintf("%s", [app.site_config.min_tls_version]),
-			"after": "1.2"
+			"after": "1.3"
 		}),
 		"remediationType": "replacement",
 	}

diff --git a/...ies/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/negative1.tf b/...ies/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/negative1.tf
@@ -7,6 +7,6 @@ resource "azurerm_app_service" "negative1" {
   site_config {
     dotnet_framework_version = "v4.0"
     scm_type                 = "LocalGit"
-    min_tls_version = 1.2
+    min_tls_version = 1.3
   }
 }
diff --git a/...ies/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive2.tf b/...ies/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive2.tf
@@ -0,0 +1,12 @@
+resource "azurerm_app_service" "positive2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+    min_tls_version = 1.2
+  }
+}
diff --git a/...re/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/...re/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json
@@ -4,5 +4,11 @@
     "severity": "MEDIUM",
     "line": 10,
     "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "App Service Not Using Latest TLS Encryption Version",
+    "severity": "MEDIUM",
+    "line": 10,
+    "fileName": "positive2.tf"
   }
 ]