fix(misconf): wrap Azure PortRange in iac types (#7357)

nikpivkin · web-flow · commit c5c62d5ff054 · 2024-08-20T04:48:57.000Z
Signed-off-by: nikpivkin &lt;nikita.pivkin@smartforce.io&gt;
diff --git a/pkg/iac/adapters/arm/network/adapt.go b/pkg/iac/adapters/arm/network/adapt.go
@@ -27,11 +27,11 @@ func adaptSecurityGroups(deployment azure.Deployment) (sgs []network.SecurityGro
 func adaptSecurityGroup(resource azure.Resource, deployment azure.Deployment) network.SecurityGroup {
 	return network.SecurityGroup{
 		Metadata: resource.Metadata,
-		Rules:    adaptSecurityGroupRules(resource, deployment),
+		Rules:    adaptSecurityGroupRules(deployment),
 	}
 }
 
-func adaptSecurityGroupRules(resource azure.Resource, deployment azure.Deployment) (rules []network.SecurityGroupRule) {
+func adaptSecurityGroupRules(deployment azure.Deployment) (rules []network.SecurityGroupRule) {
 	for _, resource := range deployment.GetResourcesByType("Microsoft.Network/networkSecurityGroups/securityRules") {
 		rules = append(rules, adaptSecurityGroupRule(resource))
 	}
@@ -120,7 +120,7 @@ func expandRange(r string, m iacTypes.Metadata) network.PortRange {
 
 	return network.PortRange{
 		Metadata: m,
-		Start:    start,
-		End:      end,
+		Start:    iacTypes.Int(start, m),
+		End:      iacTypes.Int(end, m),
 	}
 }
diff --git a/pkg/iac/adapters/terraform/azure/network/adapt.go b/pkg/iac/adapters/terraform/azure/network/adapt.go
@@ -136,8 +136,8 @@ func (a *adapter) adaptSource(ruleBlock *terraform.Block, rule *network.Security
 		f := sourcePortRangeAttr.AsNumber()
 		rule.SourcePorts = append(rule.SourcePorts, network.PortRange{
 			Metadata: sourcePortRangeAttr.GetMetadata(),
-			Start:    int(f),
-			End:      int(f),
+			Start:    iacTypes.Int(int(f), sourcePortRangeAttr.GetMetadata()),
+			End:      iacTypes.Int(int(f), sourcePortRangeAttr.GetMetadata()),
 		})
 	}
 }
@@ -160,8 +160,8 @@ func (a *adapter) adaptDestination(ruleBlock *terraform.Block, rule *network.Sec
 		f := destPortRangeAttr.AsNumber()
 		rule.DestinationPorts = append(rule.DestinationPorts, network.PortRange{
 			Metadata: destPortRangeAttr.GetMetadata(),
-			Start:    int(f),
-			End:      int(f),
+			Start:    iacTypes.Int(int(f), destPortRangeAttr.GetMetadata()),
+			End:      iacTypes.Int(int(f), destPortRangeAttr.GetMetadata()),
 		})
 	}
 }
@@ -189,8 +189,8 @@ func expandRange(r string, m iacTypes.Metadata) network.PortRange {
 
 	return network.PortRange{
 		Metadata: m,
-		Start:    start,
-		End:      end,
+		Start:    iacTypes.Int(start, m),
+		End:      iacTypes.Int(end, m),
 	}
 }
 
diff --git a/pkg/iac/adapters/terraform/azure/network/adapt_test.go b/pkg/iac/adapters/terraform/azure/network/adapt_test.go
@@ -65,15 +65,15 @@ func Test_Adapt(t *testing.T) {
 								SourcePorts: []network.PortRange{
 									{
 										Metadata: iacTypes.NewTestMetadata(),
-										Start:    0,
-										End:      65535,
+										Start:    iacTypes.IntTest(0),
+										End:      iacTypes.IntTest(65535),
 									},
 								},
 								DestinationPorts: []network.PortRange{
 									{
 										Metadata: iacTypes.NewTestMetadata(),
-										Start:    3389,
-										End:      3389,
+										Start:    iacTypes.IntTest(3389),
+										End:      iacTypes.IntTest(3389),
 									},
 								},
 								Protocol: iacTypes.String("TCP", iacTypes.NewTestMetadata()),
diff --git a/pkg/iac/providers/azure/network/network.go b/pkg/iac/providers/azure/network/network.go
@@ -27,12 +27,12 @@ type SecurityGroupRule struct {
 
 type PortRange struct {
 	Metadata iacTypes.Metadata
-	Start    int
-	End      int
+	Start    iacTypes.IntValue
+	End      iacTypes.IntValue
 }
 
 func (r PortRange) Includes(port int) bool {
-	return port >= r.Start && port <= r.End
+	return port >= r.Start.Value() && port <= r.End.Value()
 }
 
 type NetworkWatcherFlowLog struct {
diff --git a/pkg/iac/rego/schemas/cloud.json b/pkg/iac/rego/schemas/cloud.json
@@ -5207,10 +5207,12 @@
           "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
         },
         "end": {
-          "type": "integer"
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
         },
         "start": {
-          "type": "integer"
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
         }
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -27,11 +27,11 @@ func adaptSecurityGroups(deployment azure.Deployment) (sgs []network.SecurityGro`
`27`	`27`	`func adaptSecurityGroup(resource azure.Resource, deployment azure.Deployment) network.SecurityGroup {`
`28`	`28`	`return network.SecurityGroup{`
`29`	`29`	`Metadata: resource.Metadata,`
`30`		`- Rules: adaptSecurityGroupRules(resource, deployment),`
	`30`	`+ Rules: adaptSecurityGroupRules(deployment),`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`
`34`		`-func adaptSecurityGroupRules(resource azure.Resource, deployment azure.Deployment) (rules []network.SecurityGroupRule) {`
	`34`	`+func adaptSecurityGroupRules(deployment azure.Deployment) (rules []network.SecurityGroupRule) {`
`35`	`35`	`for _, resource := range deployment.GetResourcesByType("Microsoft.Network/networkSecurityGroups/securityRules") {`
`36`	`36`	`rules = append(rules, adaptSecurityGroupRule(resource))`
`37`	`37`	`}`
`@@ -120,7 +120,7 @@ func expandRange(r string, m iacTypes.Metadata) network.PortRange {`
`120`	`120`
`121`	`121`	`return network.PortRange{`
`122`	`122`	`Metadata: m,`
`123`		`- Start: start,`
`124`		`- End: end,`
	`123`	`+ Start: iacTypes.Int(start, m),`
	`124`	`+ End: iacTypes.Int(end, m),`
`125`	`125`	`}`
`126`	`126`	`}`
Original file line number	Diff line number	Diff line change
`@@ -136,8 +136,8 @@ func (a adapter) adaptSource(ruleBlock terraform.Block, rule *network.Security`
`136`	`136`	`f := sourcePortRangeAttr.AsNumber()`
`137`	`137`	`rule.SourcePorts = append(rule.SourcePorts, network.PortRange{`
`138`	`138`	`Metadata: sourcePortRangeAttr.GetMetadata(),`
`139`		`- Start: int(f),`
`140`		`- End: int(f),`
	`139`	`+ Start: iacTypes.Int(int(f), sourcePortRangeAttr.GetMetadata()),`
	`140`	`+ End: iacTypes.Int(int(f), sourcePortRangeAttr.GetMetadata()),`
`141`	`141`	`})`
`142`	`142`	`}`
`143`	`143`	`}`
`@@ -160,8 +160,8 @@ func (a adapter) adaptDestination(ruleBlock terraform.Block, rule *network.Sec`
`160`	`160`	`f := destPortRangeAttr.AsNumber()`
`161`	`161`	`rule.DestinationPorts = append(rule.DestinationPorts, network.PortRange{`
`162`	`162`	`Metadata: destPortRangeAttr.GetMetadata(),`
`163`		`- Start: int(f),`
`164`		`- End: int(f),`
	`163`	`+ Start: iacTypes.Int(int(f), destPortRangeAttr.GetMetadata()),`
	`164`	`+ End: iacTypes.Int(int(f), destPortRangeAttr.GetMetadata()),`
`165`	`165`	`})`
`166`	`166`	`}`
`167`	`167`	`}`
`@@ -189,8 +189,8 @@ func expandRange(r string, m iacTypes.Metadata) network.PortRange {`
`189`	`189`
`190`	`190`	`return network.PortRange{`
`191`	`191`	`Metadata: m,`
`192`		`- Start: start,`
`193`		`- End: end,`
	`192`	`+ Start: iacTypes.Int(start, m),`
	`193`	`+ End: iacTypes.Int(end, m),`
`194`	`194`	`}`
`195`	`195`	`}`
`196`	`196`
Original file line number	Diff line number	Diff line change
`@@ -27,12 +27,12 @@ type SecurityGroupRule struct {`
`27`	`27`
`28`	`28`	`type PortRange struct {`
`29`	`29`	`Metadata iacTypes.Metadata`
`30`		`- Start int`
`31`		`- End int`
	`30`	`+ Start iacTypes.IntValue`
	`31`	`+ End iacTypes.IntValue`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`func (r PortRange) Includes(port int) bool {`
`35`		`- return port >= r.Start && port <= r.End`
	`35`	`+ return port >= r.Start.Value() && port <= r.End.Value()`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`type NetworkWatcherFlowLog struct {`