Skip to content

Updates to Code #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ahernandez411 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Updates to Code #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bf60738
updates to code
Jan 26, 2023
2ed159f
add more bad examples
Jan 26, 2023
09624dd
format
Jan 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions DataAccess.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ namespace CodeQLAlertTrigger
public class DataAccess
{
private Dictionary<string, string> _users = new Dictionary<string, string>();
private const string SqlConnectionString = "Server=localhost;Database=SecurityDb;User Id=sa;Password=MyP@ssw0rd!;";
private const string SqlConnectionString = "Server=localhost;Database=SecurityDb;User Id=sa;Password=MyP@ssw0rd!2;";

Check failure

Code scanning / CodeQL

Hard-coded connection string with credentials

'ConnectionString' property includes hard-coded credentials set in [object creation of type SqlConnection](1).

public DataAccess()
{
Expand All @@ -16,7 +16,7 @@ public DataAccess()
public bool IsValidUser(string username, string password)
{
PopulateUsers();
// Should access the database but we wont
// Should access the database but we won't
if (!_users.ContainsKey(username))
{
return false;
Expand Down
4 changes: 2 additions & 2 deletions SecureAccess.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ namespace CodeQLAlertTrigger
{
public class SecureAccess
{
private const string AdminUsername = "admin";
private const string AdminPassword = "P@ssword123" ;
private const string AdminUsername = "adminuser";
private const string AdminPassword = "P@ssword1234" ;
private DataAccess _access = new DataAccess();

public SecureAccess()
Expand Down
35 changes: 32 additions & 3 deletions terraform/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
# Example code taken from:
# https://aquasecurity.github.io/tfsec/v0.61.3/checks/azure/compute/disable-password-authentication/
locals {
root_password = "P@ssw0rd!1"
}

resource "azurerm_resource_group" "example" {
name = "my-rgrp"
location = "West US2"
}

resource "azurerm_storage_account" "bad_example" {
name = "storageaccountname"
name = "badnamesa"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
Expand Down Expand Up @@ -36,7 +39,7 @@ resource "azurerm_virtual_machine" "bad_example" {
os_profile {
computer_name = "hostname"
admin_username = "testadmin"
admin_password = "Password1234!"
admin_password = local.root_password
}

os_profile_linux_config {
Expand All @@ -49,12 +52,18 @@ resource "azurerm_kubernetes_cluster" "bad_example" {
}

resource "azurerm_key_vault" "bad_example" {
name = "examplekeyvault"
name = "bad_examplekeyvault"
location = azurerm_resource_group.example.location
enabled_for_disk_encryption = true
purge_protection_enabled = false
}

resource "azurerm_key_vault_secret" "example" {
name = "secret_password"
value = var.another_password
key_vault_id = azurerm_key_vault.bad_example.id
}
Comment on lines +61 to +65

Check notice

Code scanning / defsec

Key vault Secret should have a content type set

Secret does not have a content-type specified.
Comment on lines +61 to +65

Check notice

Code scanning / defsec

Key Vault Secret should have an expiration date set

Secret should have an expiry date specified.

resource "azurerm_monitor_log_profile" "bad_example" {
name = "bad_example"

Expand Down Expand Up @@ -87,3 +96,23 @@ resource "azurerm_network_security_group" "example" {
destination_address_prefix = "*"
}
}

resource "azurerm_app_service_plan" "example" {
name = "bad_exampleappserviceplan"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_app_service" "bad_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
}
Comment on lines +106 to +111

Check warning

Code scanning / defsec

App Service authentication is activated

App service does not have authentication enabled.
Comment on lines +106 to +111

Check notice

Code scanning / defsec

Web App has registration with AD enabled

App service does not have an identity type.
Comment on lines +106 to +111

Check notice

Code scanning / defsec

Web App uses the latest HTTP version

App service does not have HTTP/2 enabled.
Comment on lines +106 to +111

Check notice

Code scanning / defsec

Web App accepts incoming client certificate

App service does not have client certificates enabled.

resource "azurerm_function_app" "bad_example" {
name = "example-function-app"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
}
Comment on lines +113 to +118

Check failure

Code scanning / defsec

Ensure the Function App can only be accessed via HTTPS. The default is false.

Function app does not have HTTPS enforced.
5 changes: 5 additions & 0 deletions terraform/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
variable "another_password" {
description = "Another Password"
type = string
default = "P@$$w0rd!"
}