kics
kics copied to clipboard
Published
20 hours ago •
Checkmarx
Checkmarx
Website Azure Active Directory Disabled ARM Security Query False Positive Result
Actual Behavior
A false positive result is detected in line 114 as ARM security query is flagging the wrong type of document.
Also, the query description is not clear, Looking at the implementation we are currently checking if the identity field is assigned to system or user. This is done to register the application in the AAD resulting in the ability to connect to other Azure cloud services securely without the need to use credentials.
Suggestion: Azure App Service Web Applications should be connected to the Azure Active Directory so other services in the Azure Cloud can be integrated without the need for credentials. This is achieved by setting the 'identity.type' to 'SystemAssigned' or 'userAssignedIdentities' to 'true'
Steps to Reproduce the Problem
- Run KICS Scan command
docker run -v /path/folder:/path checkmarx/kics:v1.6.1 scan -p /path/sample.json
Sample to reproduce the problem:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"siteName": {
"type": "string",
"metadata": {
"description": "Name of azure web app"
}
},
"administratorLogin": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Database administrator login name"
}
},
"administratorLoginPassword": {
"type": "securestring",
"minLength": 8,
"maxLength": 128,
"metadata": {
"description": "Database administrator password"
}
},
"databaseSkucapacity": {
"type": "int",
"defaultValue": 2,
"allowedValues": [
2,
4,
8,
16,
32
],
"metadata": {
"description": "Azure database for MySQL compute capacity in vCores (2,4,8,16,32)"
}
},
"databaseSkuName": {
"type": "string",
"defaultValue": "GP_Gen5_2",
"allowedValues": [
"GP_Gen5_2",
"GP_Gen5_4",
"GP_Gen5_8",
"GP_Gen5_16",
"GP_Gen5_32",
"MO_Gen5_2",
"MO_Gen5_4",
"MO_Gen5_8",
"MO_Gen5_16",
"MO_Gen5_32"
],
"metadata": {
"description": "Azure database for MySQL sku name "
}
},
"databaseSkuSizeMB": {
"type": "int",
"allowedValues": [
102400,
51200
],
"defaultValue": 51200,
"metadata": {
"description": "Azure database for MySQL Sku Size "
}
},
"databaseSkuTier": {
"type": "string",
"defaultValue": "GeneralPurpose",
"allowedValues": [
"GeneralPurpose",
"MemoryOptimized"
],
"metadata": {
"description": "Azure database for MySQL pricing tier"
}
},
"mysqlVersion": {
"type": "string",
"allowedValues": [
"5.6",
"5.7"
],
"defaultValue": "5.6",
"metadata": {
"description": "MySQL version"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"databaseSkuFamily": {
"type": "string",
"defaultValue": "Gen5",
"metadata": {
"description": "Azure database for MySQL sku family"
}
}
},
"variables": {
"databaseName": "[concat(parameters('siteName'), 'database')]",
"serverName": "[concat(parameters('siteName'), 'myserver')]",
"hostingPlanName": "[concat(parameters('siteName'), 'serviceplan')]"
},
"resources": [
{
"apiVersion": "2020-06-01",
"name": "[variables('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[parameters('location')]",
"properties": {
"name": "[variables('hostingPlanName')]",
"workerSizeId": "1",
"reserved": true,
"numberOfWorkers": 0
},
"sku": {
"Tier": "Standard",
"Name": "S1"
}
},
{
"apiVersion": "2020-06-01",
"name": "[parameters('siteName')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms/', variables('hostingPlanName'))]"
],
"properties": {
"name": "[parameters('siteName')]",
"serverFarmId": "[variables('hostingPlanName')]"
},
"resources": [
{
"apiVersion": "2020-06-01",
"name": "connectionstrings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', parameters('siteName'))]"
],
"properties": {
"defaultConnection": {
"value": "[concat('Database=', variables('databaseName'), ';Data Source=', reference(resourceId('Microsoft.DBforMySQL/servers',variables('serverName'))).fullyQualifiedDomainName, ';User Id=', parameters('administratorLogin'),'@', variables('serverName'),';Password=', parameters('administratorLoginPassword'))]",
"type": "MySql"
}
}
}
]
},
{
"apiVersion": "2017-12-01",
"location": "[parameters('location')]",
"name": "[variables('serverName')]",
"type": "Microsoft.DBforMySQL/servers",
"sku": {
"name": "[parameters('databaseSkuName')]",
"tier": "[parameters('databaseSkuTier')]",
"capacity": "[parameters('databaseSkucapacity')]",
"size": "[parameters('databaseSkuSizeMB')]",
"family": "[parameters('databaseSkuFamily')]"
},
"properties": {
"createMode": "Default",
"version": "[parameters('mysqlVersion')]",
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"storageProfile": {
"storageMB": "[parameters('databaseSkuSizeMB')]",
"backupRetentionDays": 7,
"geoRedundantBackup": "Disabled"
},
"sslEnforcement": "Disabled"
},
"resources": [
{
"type": "firewallrules",
"apiVersion": "2017-12-01",
"dependsOn": [
"[resourceId('Microsoft.DBforMySQL/servers/databases', variables('serverName'), variables('databaseName'))]",
"[resourceId('Microsoft.DBforMySQL/servers/', variables('serverName'))]"
],
"location": "[parameters('location')]",
"name": "AllowAzureIPs",
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "0.0.0.0"
}
},
{
"name": "[variables('databaseName')]",
"type": "databases",
"apiVersion": "2017-12-01",
"properties": {
"charset": "utf8",
"collation": "utf8_general_ci"
},
"dependsOn": [
"[resourceId('Microsoft.DBforMySQL/servers/', variables('serverName'))]"
]
}
]
}
]
}
