Skip to content

fix(query): fix fn for ssh_is_exposed_to_the_internet and rdp_is_exposed_to_the_internet #7560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jul 17, 2025
Merged

fix(query): fix fn for ssh_is_exposed_to_the_internet and rdp_is_exposed_to_the_internet #7560

merged 8 commits into from
Jul 17, 2025

Conversation

cx-andre-pereira
Copy link
Contributor

@cx-andre-pereira cx-andre-pereira commented Jul 16, 2025
edited
Loading

Reason for Proposed Changes

  • These queries are meant to detect azurerm network rules that expose sensitive ports: port 22(ssh) and port 3389(rdp), however they are not taking into account azurerm_network_security_group´s.
  • This has bestowed upon the queries a massive blind spot for this dangerous vulnerabilities; inside these groups one or both ports could be explicitly exposed.

Proposed Changes

  • To allow for complete thorough search for network rules i have implemented an extra valid pattern for the CxPolicy to scan and detect these statements when inside an azurerm_network_security_group block.
  • The implementations specifically searches for "security_rule"´s inside groups because that is the singular allowed identifier for rules defined inside these groups. Other identifiers are disregarded. doc
  • All the tests have been updated to ensure results are consistent whether rules are defined inside or outside of a group.

Note: The searchKey uses rule names for traceability. This approach was chosen over index-based referencing due to consistent misalignment between idx values and the actual rule objects, which led to duplicate or misplaced warnings.

originalPR

I submit this contribution under the Apache-2.0 license.

@cx-andre-pereira cx-andre-pereira requested a review from a team as a code owner July 16, 2025 11:00
@github-actions github-actions bot added community Community contribution query New query feature terraform Terraform query labels Jul 16, 2025
cx-eduardo-semanas
cx-eduardo-semanas approved these changes Jul 16, 2025
View reviewed changes
Copy link
Contributor

@cx-eduardo-semanas cx-eduardo-semanas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

cx-artur-ribeiro
cx-artur-ribeiro approved these changes Jul 17, 2025
View reviewed changes
Copy link
Contributor

@cx-artur-ribeiro cx-artur-ribeiro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cx-artur-ribeiro cx-artur-ribeiro merged commit 17aef90 into Checkmarx:master Jul 17, 2025
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cx-eduardo-semanas cx-eduardo-semanas cx-eduardo-semanas approved these changes

@cx-artur-ribeiro cx-artur-ribeiro cx-artur-ribeiro approved these changes

Assignees

@cx-andre-pereira cx-andre-pereira

Labels
community Community contribution query New query feature terraform Terraform query
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cx-andre-pereira @cx-eduardo-semanas @cx-artur-ribeiro