github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/ec2/security_group.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/ec2/security_group.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2"
     5  	"github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser"
     6  	"github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func getSecurityGroups(ctx parser.FileContext) (groups []ec2.SecurityGroup) {
    10  	for _, r := range ctx.GetResourcesByType("AWS::EC2::SecurityGroup") {
    11  		group := ec2.SecurityGroup{
    12  			Metadata:     r.Metadata(),
    13  			Description:  r.GetStringProperty("GroupDescription"),
    14  			IngressRules: getIngressRules(r),
    15  			EgressRules:  getEgressRules(r),
    16  			IsDefault:    types.Bool(r.GetStringProperty("GroupName").EqualTo("default"), r.Metadata()),
    17  			VPCID:        r.GetStringProperty("VpcId"),
    18  		}
    19  
    20  		groups = append(groups, group)
    21  	}
    22  	return groups
    23  }
    24  
    25  func getIngressRules(r *parser.Resource) (sgRules []ec2.SecurityGroupRule) {
    26  	if ingressProp := r.GetProperty("SecurityGroupIngress"); ingressProp.IsList() {
    27  		for _, ingress := range ingressProp.AsList() {
    28  			rule := ec2.SecurityGroupRule{
    29  				Metadata:    ingress.Metadata(),
    30  				Description: ingress.GetStringProperty("Description"),
    31  				CIDRs:       nil,
    32  			}
    33  			v4Cidr := ingress.GetProperty("CidrIp")
    34  			if v4Cidr.IsString() && v4Cidr.AsStringValue().IsNotEmpty() {
    35  				rule.CIDRs = append(rule.CIDRs, types.StringExplicit(v4Cidr.AsString(), v4Cidr.Metadata()))
    36  			}
    37  			v6Cidr := ingress.GetProperty("CidrIpv6")
    38  			if v6Cidr.IsString() && v6Cidr.AsStringValue().IsNotEmpty() {
    39  				rule.CIDRs = append(rule.CIDRs, types.StringExplicit(v6Cidr.AsString(), v6Cidr.Metadata()))
    40  			}
    41  
    42  			sgRules = append(sgRules, rule)
    43  		}
    44  	}
    45  	return sgRules
    46  }
    47  
    48  func getEgressRules(r *parser.Resource) (sgRules []ec2.SecurityGroupRule) {
    49  	if egressProp := r.GetProperty("SecurityGroupEgress"); egressProp.IsList() {
    50  		for _, egress := range egressProp.AsList() {
    51  			rule := ec2.SecurityGroupRule{
    52  				Metadata:    egress.Metadata(),
    53  				Description: egress.GetStringProperty("Description"),
    54  			}
    55  			v4Cidr := egress.GetProperty("CidrIp")
    56  			if v4Cidr.IsString() && v4Cidr.AsStringValue().IsNotEmpty() {
    57  				rule.CIDRs = append(rule.CIDRs, types.StringExplicit(v4Cidr.AsString(), v4Cidr.Metadata()))
    58  			}
    59  			v6Cidr := egress.GetProperty("CidrIpv6")
    60  			if v6Cidr.IsString() && v6Cidr.AsStringValue().IsNotEmpty() {
    61  				rule.CIDRs = append(rule.CIDRs, types.StringExplicit(v6Cidr.AsString(), v6Cidr.Metadata()))
    62  			}
    63  
    64  			sgRules = append(sgRules, rule)
    65  		}
    66  	}
    67  	return sgRules
    68  }