Merge pull request #6697 from Checkmarx/kics_logging_of_sensitive_data

feat(query): ansible config logging_of_sensitive_data

assets/queries/ansible/config/logging_of_sensitive_data/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "c6473dae-8477-4119-88b7-b909b435ce7b",
+    "queryName": "Logging of Sensitive Data",
+    "severity": "LOW",
+    "category": "Best Practices",
+    "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True",
+    "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/logging.html#protecting-sensitive-data-with-no-log",
+    "platform": "Ansible",
+    "descriptionID": "0eca35f3",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/config/logging_of_sensitive_data/query.rego

@@ -0,0 +1,35 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	defaultsGroup := input.document[i].groups.defaults
+
+    not common_lib.valid_key(defaultsGroup, "no_log")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": "defaults",
+		"issueType": "IncorrectValue",
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"keyExpectedValue": "no_log should be defined and set to 'true'",
+		"keyActualValue": "no_log is not defined",
+	}
+}
+
+CxPolicy[result] {
+	defaultsGroup := input.document[i].groups.defaults
+
+    defaultsGroup.no_log == false
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": "defaults.no_log",
+		"issueType": "IncorrectValue",
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"keyExpectedValue": "no_log should be set to 'true'",
+		"keyActualValue": "no_log is set to 'false'",
+	}
+}

assets/queries/ansible/config/logging_of_sensitive_data/test/negative1.cfg

@@ -0,0 +1,39 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
+fact_caching=memory
+fact_caching_prefix=ansible_facts
+fact_caching_timeout=86400
+collections_on_ansible_version_mismatch=warning
+collections_path=~/.ansible/collections:/usr/share/ansible/collections
+collections_scan_sys_path=True
+command_warnings=False
+action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
+allow_unsafe_lookups=False
+ask_pass=False
+ask_vault_pass=False
+cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache
+callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback
+cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf
+connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection
+debug=False
+executable=/bin/sh
+filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter
+force_handlers=False
+forks=5
+gathering=implicit
+gather_subset=all
+lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup
+ansible_managed=Ansible managed
+module_compression=ZIP_DEFLATED
+module_name=command
+library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
+module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
+netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf
+no_log=True

assets/queries/ansible/config/logging_of_sensitive_data/test/positive1.cfg

@@ -0,0 +1,38 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
+fact_caching=memory
+fact_caching_prefix=ansible_facts
+fact_caching_timeout=86400
+collections_on_ansible_version_mismatch=warning
+collections_path=~/.ansible/collections:/usr/share/ansible/collections
+collections_scan_sys_path=True
+command_warnings=False
+action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
+allow_unsafe_lookups=False
+ask_pass=False
+ask_vault_pass=False
+cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache
+callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback
+cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf
+connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection
+debug=False
+executable=/bin/sh
+filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter
+force_handlers=False
+forks=5
+gathering=implicit
+gather_subset=all
+lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup
+ansible_managed=Ansible managed
+module_compression=ZIP_DEFLATED
+module_name=command
+library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
+module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
+netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf

assets/queries/ansible/config/logging_of_sensitive_data/test/positive2.cfg

@@ -0,0 +1,39 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
+fact_caching=memory
+fact_caching_prefix=ansible_facts
+fact_caching_timeout=86400
+collections_on_ansible_version_mismatch=warning
+collections_path=~/.ansible/collections:/usr/share/ansible/collections
+collections_scan_sys_path=True
+command_warnings=False
+action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
+allow_unsafe_lookups=False
+ask_pass=False
+ask_vault_pass=False
+cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache
+callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback
+cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf
+connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection
+debug=False
+executable=/bin/sh
+filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter
+force_handlers=False
+forks=5
+gathering=implicit
+gather_subset=all
+lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup
+ansible_managed=Ansible managed
+module_compression=ZIP_DEFLATED
+module_name=command
+library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
+module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
+netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf
+no_log=False

assets/queries/ansible/config/logging_of_sensitive_data/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Logging of Sensitive Data",
+		"severity": "LOW",
+        "filename": "positive1.cfg",
+		"line": 1
+	},
+    {
+		"queryName": "Logging of Sensitive Data",
+		"severity": "LOW",
+        "filename": "positive2.cfg",
+		"line": 39
+	}
+]