Add MFA rule (#43)

josedonizetti · Dec 17, 2021 · 9be97f2 · 9be97f2
1 parent efe6889
commit 9be97f2
Show file tree

Hide file tree

Showing 147 changed files with 3,817 additions and 47,866 deletions.
diff --git a/formatters/sarif.go b/formatters/sarif.go
@@ -7,7 7,7 @@ import (
  "github.com/aquasecurity/defsec/rules"
  "github.com/aquasecurity/defsec/severity"
 
- "github.com/owenrumney/go-sarif/sarif"
  "github.com/owenrumney/go-sarif/v2/sarif"
 )
 
 func FormatSarif(w io.Writer, results []rules.Result, baseDir string, _ ...FormatterOption) error {
@@ -16,7 16,7 @@ func FormatSarif(w io.Writer, results []rules.Result, baseDir string, _ ...Forma
  return err
  }
 
- run := sarif.NewRun("tfsec", "https://tfsec.dev")
  run := sarif.NewRunWithInformationURI("tfsec", "https://tfsec.dev")
  report.AddRun(run)
 
  for _, res := range results {
@@ -31,7 31,7 @@ func FormatSarif(w io.Writer, results []rules.Result, baseDir string, _ ...Forma
  }
  rule := run.AddRule(res.Rule().LongID()).
  WithDescription(res.Rule().Summary).
- WithHelp(link)
  WithHelpURI(link)
 
  rng := res.NarrowestRange()
 
@@ -61,11 61,11 @@ func FormatSarif(w io.Writer, results []rules.Result, baseDir string, _ ...Forma
  WithArtifactLocation(sarif.NewSimpleArtifactLocation(relativePath)).
  WithRegion(region)
 
- ruleResult := run.AddResult(rule.ID)
  ruleResult := run.CreateResultForRule(rule.ID)
 
  ruleResult.WithMessage(message).
  WithLevel(level).
- WithLocation(sarif.NewLocation().WithPhysicalLocation(location))
  AddLocation(sarif.NewLocation().WithPhysicalLocation(location))
  }
 
  return report.PrettyWrite(w)

diff --git a/go.mod b/go.mod
@@ -6,7 6,37 @@ require (
  github.com/liamg/clinch v1.5.6
  github.com/liamg/gifwrap v0.0.6
  github.com/liamg/tml v0.4.0
- github.com/owenrumney/go-sarif v1.0.14
  github.com/owenrumney/go-sarif/v2 v2.0.13
  github.com/owenrumney/squealer v0.3.1
  github.com/stretchr/testify v1.7.0
 )
 
 require (
  github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
  github.com/acomagu/bufpipe v1.0.3 // indirect
  github.com/davecgh/go-spew v1.1.1 // indirect
  github.com/emirpasic/gods v1.12.0 // indirect
  github.com/gdamore/encoding v1.0.0 // indirect
  github.com/gdamore/tcell/v2 v2.2.0 // indirect
  github.com/go-git/gcfg v1.5.0 // indirect
  github.com/go-git/go-billy/v5 v5.3.1 // indirect
  github.com/go-git/go-git/v5 v5.4.2 // indirect
  github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
  github.com/lucasb-eyer/go-colorful v1.0.3 // indirect
  github.com/mattn/go-runewidth v0.0.10 // indirect
  github.com/mitchellh/go-homedir v1.1.0 // indirect
  github.com/owenrumney/go-sarif v1.1.1 // indirect
  github.com/pmezard/go-difflib v1.0.0 // indirect
  github.com/rivo/uniseg v0.1.0 // indirect
  github.com/sergi/go-diff v1.1.0 // indirect
  github.com/sirupsen/logrus v1.8.1 // indirect
  github.com/zclconf/go-cty v1.10.0 // indirect
  golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b // indirect
  golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 // indirect
  golang.org/x/sys v0.0.0-20210510120138-977fb7262007 // indirect
  golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf // indirect
  golang.org/x/text v0.3.5 // indirect
  gopkg.in/warnings.v0 v0.1.2 // indirect
  gopkg.in/yaml.v2 v2.4.0 // indirect
  gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 )
diff --git a/go.sum b/go.sum
@@ -277,8 277,11 @@ github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3Rllmb
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi 5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F FBtV6XMibvdAFo93nm5qn4U=
-github.com/owenrumney/go-sarif v1.0.14 h1:uvPPxZbmyR1S59iOHePrlrjbM5Ysp9tEc5K3MSwIHD0=
 github.com/owenrumney/go-sarif v1.0.14/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
 github.com/owenrumney/go-sarif v1.1.1 h1:QNObu6YX1igyFKhdzd7vgzmw7XsWN3/6NMGuDzBgXmE=
 github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
 github.com/owenrumney/go-sarif/v2 v2.0.13 h1:Z4MzJtJO4OR2ygruUtA4ze8wZJHrI0C/qazNK8XdzRw=
 github.com/owenrumney/go-sarif/v2 v2.0.13/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr w=
 github.com/owenrumney/squealer v0.3.1 h1:iBo817khHVpcP65om iXuSYg G6iaVvjsY0amcy1UAA=
 github.com/owenrumney/squealer v0.3.1/go.mod h1:mRMvbRyrnE2mYghLpn4M2jATJhIddp4XOAKKY60X7nY=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=

diff --git a/rules/aws/iam/enforce_mfa.go b/rules/aws/iam/enforce_mfa.go
@@ -0,0 1,30 @@
 package iam
 
 import (
  "github.com/aquasecurity/defsec/provider"
  "github.com/aquasecurity/defsec/rules"
  "github.com/aquasecurity/defsec/severity"
  "github.com/aquasecurity/defsec/state"
 )
 
 var EnforceMFA = rules.Register(
  rules.Rule{
  AVDID: "AVD-AWS-0123",
  Provider: provider.AWSProvider,
  Service: "iam",
  ShortCode: "enforce-mfa",
  Summary: "IAM Groups should have MFA enforcement activated.",
  Impact: "User accounts are more vulnerable to compromise without multi factor authentication activated",
  Resolution: "Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced",
  Explanation: `
 IAM user accounts should be protected with multi factor authentication to add safe guards to password compromise.
  `,
  Links: []string{
  "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details",
  },
  Severity: severity.Medium,
  },
  func(s *state.State) (results rules.Results) {
  return
  },
 )
diff --git a/vendor/github.com/acomagu/bufpipe/go.mod b/vendor/github.com/acomagu/bufpipe/go.mod
diff --git a/vendor/github.com/acomagu/bufpipe/go.sum b/vendor/github.com/acomagu/bufpipe/go.sum
diff --git a/vendor/github.com/gdamore/encoding/go.mod b/vendor/github.com/gdamore/encoding/go.mod
diff --git a/vendor/github.com/gdamore/encoding/go.sum b/vendor/github.com/gdamore/encoding/go.sum
diff --git a/vendor/github.com/gdamore/tcell/v2/go.mod b/vendor/github.com/gdamore/tcell/v2/go.mod
diff --git a/vendor/github.com/gdamore/tcell/v2/go.sum b/vendor/github.com/gdamore/tcell/v2/go.sum
diff --git a/vendor/github.com/go-git/go-billy/v5/go.mod b/vendor/github.com/go-git/go-billy/v5/go.mod
diff --git a/vendor/github.com/go-git/go-billy/v5/go.sum b/vendor/github.com/go-git/go-billy/v5/go.sum
diff --git a/vendor/github.com/liamg/tml/go.mod b/vendor/github.com/liamg/tml/go.mod
diff --git a/vendor/github.com/liamg/tml/go.sum b/vendor/github.com/liamg/tml/go.sum
diff --git a/vendor/github.com/lucasb-eyer/go-colorful/go.mod b/vendor/github.com/lucasb-eyer/go-colorful/go.mod
diff --git a/vendor/github.com/lucasb-eyer/go-colorful/go.sum b/vendor/github.com/lucasb-eyer/go-colorful/go.sum
diff --git a/vendor/github.com/mattn/go-runewidth/go.mod b/vendor/github.com/mattn/go-runewidth/go.mod
diff --git a/vendor/github.com/mattn/go-runewidth/go.sum b/vendor/github.com/mattn/go-runewidth/go.sum
diff --git a/vendor/github.com/mitchellh/go-homedir/go.mod b/vendor/github.com/mitchellh/go-homedir/go.mod
diff --git a/vendor/github.com/owenrumney/go-sarif/sarif/address.go b/vendor/github.com/owenrumney/go-sarif/sarif/address.go
diff --git a/vendor/github.com/owenrumney/go-sarif/sarif/artifact.go b/vendor/github.com/owenrumney/go-sarif/sarif/artifact.go