github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/dns/no_rsa_sha1.go (about) 1 package dns 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckNoRsaSha1 = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-GCP-0012", 14 Provider: providers.GoogleProvider, 15 Service: "dns", 16 ShortCode: "no-rsa-sha1", 17 Summary: "Zone signing should not use RSA SHA1", 18 Impact: "Less secure encryption algorithm than others available", 19 Resolution: "Use RSA SHA512", 20 Explanation: `RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512`, 21 Links: []string{}, 22 Terraform: &scan.EngineMetadata{ 23 GoodExamples: terraformNoRsaSha1GoodExamples, 24 BadExamples: terraformNoRsaSha1BadExamples, 25 Links: terraformNoRsaSha1Links, 26 RemediationMarkdown: terraformNoRsaSha1RemediationMarkdown, 27 }, 28 Severity: severity.Medium, 29 }, 30 func(s *state.State) (results scan.Results) { 31 for _, zone := range s.Google.DNS.ManagedZones { 32 if zone.Metadata.IsUnmanaged() { 33 continue 34 } 35 if zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm.EqualTo("rsasha1") { 36 results.Add( 37 "Zone KSK uses RSA SHA1 for signing.", 38 zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm, 39 ) 40 } else if zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm.EqualTo("rsasha1") { 41 results.Add( 42 "Zone ZSK uses RSA SHA1 for signing.", 43 zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm, 44 ) 45 } else { 46 results.AddPassed(&zone) 47 } 48 } 49 return 50 }, 51 )