github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/arm/database/mssql.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/arm/database/mssql.go (about)

     1  package database
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/database"
     5  	"github.com/khulnasoft-lab/defsec/pkg/scanners/azure"
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func adaptMSSQLServers(deployment azure.Deployment) (msSQlServers []database.MSSQLServer) {
    10  	for _, resource := range deployment.GetResourcesByType("Microsoft.Sql/servers") {
    11  		msSQlServers = append(msSQlServers, adaptMSSQLServer(resource, deployment))
    12  	}
    13  	return msSQlServers
    14  }
    15  
    16  func adaptMSSQLServer(resource azure.Resource, deployment azure.Deployment) database.MSSQLServer {
    17  	return database.MSSQLServer{
    18  		Metadata: resource.Metadata,
    19  		Server: database.Server{
    20  			Metadata:                  resource.Metadata,
    21  			EnableSSLEnforcement:      resource.Properties.GetMapValue("sslEnforcement").AsBoolValue(false, resource.Metadata),
    22  			MinimumTLSVersion:         resource.Properties.GetMapValue("minimalTlsVersion").AsStringValue("TLSEnforcementDisabled", resource.Metadata),
    23  			EnablePublicNetworkAccess: resource.Properties.GetMapValue("publicNetworkAccess").AsBoolValue(false, resource.Metadata),
    24  			FirewallRules:             addFirewallRule(resource),
    25  		},
    26  		ExtendedAuditingPolicies: adaptExtendedAuditingPolicies(resource, deployment),
    27  		SecurityAlertPolicies:    adaptSecurityAlertPolicies(resource, deployment),
    28  	}
    29  }
    30  
    31  func adaptExtendedAuditingPolicies(resource azure.Resource, deployment azure.Deployment) (policies []database.ExtendedAuditingPolicy) {
    32  
    33  	for _, policy := range deployment.GetResourcesByType("Microsoft.Sql/servers/extendedAuditingSettings") {
    34  		policies = append(policies, database.ExtendedAuditingPolicy{
    35  			Metadata:        policy.Metadata,
    36  			RetentionInDays: policy.Properties.GetMapValue("retentionDays").AsIntValue(0, policy.Metadata),
    37  		})
    38  	}
    39  
    40  	return policies
    41  }
    42  
    43  func adaptSecurityAlertPolicies(resource azure.Resource, deployment azure.Deployment) (policies []database.SecurityAlertPolicy) {
    44  	for _, policy := range deployment.GetResourcesByType("Microsoft.Sql/servers/securityAlertPolicies") {
    45  		policies = append(policies, database.SecurityAlertPolicy{
    46  			Metadata:           policy.Metadata,
    47  			EmailAddresses:     adaptStringList(policy.Properties.GetMapValue("emailAddresses")),
    48  			DisabledAlerts:     adaptStringList(policy.Properties.GetMapValue("disabledAlerts")),
    49  			EmailAccountAdmins: policy.Properties.GetMapValue("emailAccountAdmins").AsBoolValue(false, policy.Metadata),
    50  		})
    51  	}
    52  	return policies
    53  }
    54  
    55  func adaptStringList(value azure.Value) []defsecTypes.StringValue {
    56  	var list []defsecTypes.StringValue
    57  	for _, v := range value.AsList() {
    58  		list = append(list, v.AsStringValue("", value.Metadata))
    59  	}
    60  	return list
    61  }