fix(query): fix EFS Volume With Disabled Transit Encryption queries for multiple volumes cases (#7947)

* fix EFS Volume With Disabled Transit Encryption query for multiple volumes cases in tf and cf

* update: dockerfile images

Author: cx-artur-ribeiro

Dockerfile

@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.26.0-r0@sha256:bbc945863cdee21f4bab2e80b4bd481cfee5c13ece8e576136bc478a5f6ad34d AS build_env
+FROM checkmarx/go:1.26.1-r1@sha256:3984b97600a32d5a9ff14cc4b8029572a762082d98fb9788bbc4050d4f45d9d2 AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git:2.53.0-r0@sha256:f46c18d1ae724ca35faa4884289e8203294e52cafb17717e3875ab2c636a0a7e
+FROM checkmarx/git:2.53.0-r0@sha256:6f398e9772fc0271cbdd77b065a09c9244004fbda17c1c58ba01b412a4292bde
 
 ENV TERM xterm-256color
 

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/query.rego

@@ -7,60 +7,76 @@ CxPolicy[result] {
 	resource_list := input.document[i].Resources
 	resource := resource_list[name]
 	resource.Type == "AWS::ECS::TaskDefinition"
-    results := is_transit_encryption_disabled(resource,name)
+	volume := resource.Properties.Volumes[j]
+	common_lib.valid_key(volume.EFSVolumeConfiguration, "TransitEncryption")
+	volume.EFSVolumeConfiguration.TransitEncryption != "ENABLED"
 
-    result := {
+	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": results.sk,
-		"issueType": results.issueT,
-		"keyExpectedValue": results.kev,
-		"keyActualValue": results.kav,
-		"searchLine": results.sl,
+		"searchKey": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption", [name, j]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be enabled", [name, j]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is disabled", [name, j]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "Volumes", j, "EFSVolumeConfiguration", "TransitEncryption"], []),
 	}
 }
 
-is_transit_encryption_disabled(taskDefinition, name) = res {
-	volume := taskDefinition.Properties.Volumes[j]
-    common_lib.valid_key(volume.EFSVolumeConfiguration, "TransitEncryption") 
-    volume.EFSVolumeConfiguration.TransitEncryption != "ENABLED"
-    res := {
-		"sk": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption", [name, j]),
-    	"issueT": "IncorrectValue",
-    	"kev": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be enabled", [name, j]),
-		"kav": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is disabled", [name, j]),
-		"sl" : common_lib.build_search_line(["Resources",name,"Properties","Volumes", j,"EFSVolumeConfiguration","TransitEncryption"], []),
-    }
-} else = res { 
-	volume := taskDefinition.Properties.Volumes[j]
-    efsVolumeConfiguration := volume.EFSVolumeConfiguration
-    not common_lib.valid_key(efsVolumeConfiguration, "TransitEncryption")
-    res := {
-		"sk": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration", [name, j]),
-    	"issueT": "MissingAttribute",
-    	"kev": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be defined", [name, j]),
-        "kav": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", [name, j]),
-		"sl" : common_lib.build_search_line(["Resources",name,"Properties","Volumes", j,"EFSVolumeConfiguration"], []),
-    }
-} else = res {
-	volume := taskDefinition.Properties.Volumes[j]
-	not common_lib.valid_key(volume, "EFSVolumeConfiguration")
-	res := {
-		"sk": sprintf("Resources.%s.Properties.Volumes[%d]", [name, j]),
-		"issueT": "MissingAttribute",
-		"kev": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration should be defined", [name, j]),
-		"kav": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration is not defined", [name, j]),
-		"sl" : common_lib.build_search_line(["Resources",name,"Properties","Volumes", j], []),
+CxPolicy[result] {
+	resource_list := input.document[i].Resources
+	resource := resource_list[name]
+	resource.Type == "AWS::ECS::TaskDefinition"
+	volume := resource.Properties.Volumes[j]
+	efsVolumeConfiguration := volume.EFSVolumeConfiguration
+	efsVolumeConfiguration != null
+	not common_lib.valid_key(efsVolumeConfiguration, "TransitEncryption")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration", [name, j]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be defined", [name, j]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", [name, j]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "Volumes", j, "EFSVolumeConfiguration"], []),
 	}
-} else = res {
-	not common_lib.valid_key(taskDefinition.Properties, "Volumes")
-	res := {
-		"sk": sprintf("Resources.%s.Properties", [name]),
-		"issueT": "MissingAttribute",
-		"kev": sprintf("Resources.%s.Properties.Volumes should be defined", [name]),
-		"kav": sprintf("Resources.%s.Properties.Volumes is not defined", [name]),
-		"sl" : common_lib.build_search_line(["Resources",name,"Properties"], []),
+}
+
+CxPolicy[result] {
+	resource_list := input.document[i].Resources
+	resource := resource_list[name]
+	resource.Type == "AWS::ECS::TaskDefinition"
+	volume := resource.Properties.Volumes[j]
+	not common_lib.valid_key(volume, "EFSVolumeConfiguration")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.Volumes[%d]", [name, j]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration should be defined", [name, j]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration is not defined", [name, j]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "Volumes", j], []),
 	}
-} 
+}
 
+CxPolicy[result] {
+	resource_list := input.document[i].Resources
+	resource := resource_list[name]
+	resource.Type == "AWS::ECS::TaskDefinition"
+	not common_lib.valid_key(resource.Properties, "Volumes")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Volumes should be defined", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Volumes is not defined", [name]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []),
+	}
+}

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/negative3.json

@@ -0,0 +1,48 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Multiple volumes properly configured with TransitEncryption ENABLED",
+  "Resources": {
+    "taskdefinition": {
+      "Type": "AWS::ECS::TaskDefinition",
+      "Properties": {
+        "ContainerDefinitions": [
+          {
+            "Name": "container1",
+            "Image": "amazonlinux:2",
+            "MountPoints": [
+              {
+                "SourceVolume": "efs-vol-1",
+                "ContainerPath": "/mount/efs1"
+              },
+              {
+                "SourceVolume": "efs-vol-2",
+                "ContainerPath": "/mount/efs2"
+              }
+            ]
+          }
+        ],
+        "Volumes": [
+          {
+            "Name": "efs-vol-1",
+            "EFSVolumeConfiguration": {
+              "FileSystemId": "fs-1234",
+              "RootDirectory": "/path/to/data1",
+              "TransitEncryption": "ENABLED",
+              "TransitEncryptionPort": 2999
+            }
+          },
+          {
+            "Name": "efs-vol-2",
+            "EFSVolumeConfiguration": {
+              "FileSystemId": "fs-5678",
+              "RootDirectory": "/path/to/data2",
+              "TransitEncryption": "ENABLED",
+              "TransitEncryptionPort": 2999
+            }
+          }
+        ]
+      }
+    }
+  }
+}
+

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/negative3.yaml

@@ -0,0 +1,31 @@
+Resources:
+  taskdefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        -
+          Name: "container1"
+          Image: "amazonlinux:2"
+          MountPoints:
+            -
+              SourceVolume: "efs-vol-1"
+              ContainerPath: "/mount/efs1"
+            -
+              SourceVolume: "efs-vol-2"
+              ContainerPath: "/mount/efs2"
+      Volumes:
+        -
+          Name: "efs-vol-1"
+          EFSVolumeConfiguration:
+            FileSystemId: "fs-1234"
+            RootDirectory: "/path/to/data1"
+            TransitEncryption: ENABLED
+            TransitEncryptionPort: 2999
+        -
+          Name: "efs-vol-2"
+          EFSVolumeConfiguration:
+            FileSystemId: "fs-5678"
+            RootDirectory: "/path/to/data2"
+            TransitEncryption: ENABLED
+            TransitEncryptionPort: 2999
+

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive1.yaml

@@ -0,0 +1,27 @@
+Resources:
+  taskdefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        -
+          Name: "container-using-efs"
+          Image: "amazonlinux:2"
+          EntryPoint:
+            - "sh"
+            - "-c"
+          Command:
+            - "ls -la /mount/efs"
+          MountPoints:
+            -
+              SourceVolume: "myEfsVolume"
+              ContainerPath: "/mount/efs"
+              ReadOnly: true
+      Volumes:
+        -
+          Name: "myEfsVolume"
+          EFSVolumeConfiguration:
+            FileSystemId: "fs-1234"
+            RootDirectory: "/path/to/my/data"
+            TransitEncryptionPort: 10
+            TransitEncryption: DISABLED
+

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive10.json

@@ -0,0 +1,46 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Multiple volumes missing TransitEncryption",
+  "Resources": {
+    "taskdefinition": {
+      "Type": "AWS::ECS::TaskDefinition",
+      "Properties": {
+        "ContainerDefinitions": [
+          {
+            "Name": "container1",
+            "Image": "amazonlinux:2",
+            "MountPoints": [
+              {
+                "SourceVolume": "efs-vol-1",
+                "ContainerPath": "/mount/efs1"
+              },
+              {
+                "SourceVolume": "efs-vol-2",
+                "ContainerPath": "/mount/efs2"
+              }
+            ]
+          }
+        ],
+        "Volumes": [
+          {
+            "Name": "efs-vol-1",
+            "EFSVolumeConfiguration": {
+              "FileSystemId": "fs-1234",
+              "RootDirectory": "/path/to/data1",
+              "TransitEncryptionPort": 2999
+            }
+          },
+          {
+            "Name": "efs-vol-2",
+            "EFSVolumeConfiguration": {
+              "FileSystemId": "fs-5678",
+              "RootDirectory": "/path/to/data2",
+              "TransitEncryptionPort": 2999
+            }
+          }
+        ]
+      }
+    }
+  }
+}
+

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive10.yaml

@@ -0,0 +1,29 @@
+Resources:
+  taskdefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        -
+          Name: "container1"
+          Image: "amazonlinux:2"
+          MountPoints:
+            -
+              SourceVolume: "efs-vol-1"
+              ContainerPath: "/mount/efs1"
+            -
+              SourceVolume: "efs-vol-2"
+              ContainerPath: "/mount/efs2"
+      Volumes:
+        -
+          Name: "efs-vol-1"
+          EFSVolumeConfiguration:
+            FileSystemId: "fs-1234"
+            RootDirectory: "/path/to/data1"
+            TransitEncryptionPort: 2999
+        -
+          Name: "efs-vol-2"
+          EFSVolumeConfiguration:
+            FileSystemId: "fs-5678"
+            RootDirectory: "/path/to/data2"
+            TransitEncryptionPort: 2999
+

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive11.json

@@ -0,0 +1,42 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Multiple volumes missing EFSVolumeConfiguration",
+  "Resources": {
+    "taskdefinition": {
+      "Type": "AWS::ECS::TaskDefinition",
+      "Properties": {
+        "ContainerDefinitions": [
+          {
+            "Name": "container1",
+            "Image": "amazonlinux:2",
+            "MountPoints": [
+              {
+                "SourceVolume": "docker-vol-1",
+                "ContainerPath": "/mount/docker1"
+              },
+              {
+                "SourceVolume": "docker-vol-2",
+                "ContainerPath": "/mount/docker2"
+              }
+            ]
+          }
+        ],
+        "Volumes": [
+          {
+            "Name": "docker-vol-1",
+            "Host": {
+              "SourcePath": "/var/lib/docker/vfs/dir1/"
+            }
+          },
+          {
+            "Name": "docker-vol-2",
+            "Host": {
+              "SourcePath": "/var/lib/docker/vfs/dir2/"
+            }
+          }
+        ]
+      }
+    }
+  }
+}
+

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive11.yaml

@@ -0,0 +1,25 @@
+Resources:
+  taskdefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        -
+          Name: "container1"
+          Image: "amazonlinux:2"
+          MountPoints:
+            -
+              SourceVolume: "docker-vol-1"
+              ContainerPath: "/mount/docker1"
+            -
+              SourceVolume: "docker-vol-2"
+              ContainerPath: "/mount/docker2"
+      Volumes:
+        -
+          Name: "docker-vol-1"
+          Host:
+            SourcePath: "/var/lib/docker/vfs/dir1/"
+        -
+          Name: "docker-vol-2"
+          Host:
+            SourcePath: "/var/lib/docker/vfs/dir2/"
+