github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/nifcloud/network/use_secure_tls_policy.go (about) 1 package network 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var outdatedSSLPolicies = []string{ 12 "", 13 "1", 14 "Standard Ciphers A ver1", 15 "2", 16 "Standard Ciphers B ver1", 17 "3", 18 "Standard Ciphers C ver1", 19 "5", 20 "Ats Ciphers A ver1", 21 "8", 22 "Ats Ciphers D ver1", 23 } 24 25 var CheckUseSecureTlsPolicy = rules.Register( 26 scan.Rule{ 27 AVDID: "AVD-NIF-0020", 28 Provider: providers.NifcloudProvider, 29 Service: "network", 30 ShortCode: "use-secure-tls-policy", 31 Summary: "An outdated SSL policy is in use by a load balancer.", 32 Impact: "The SSL policy is outdated and has known vulnerabilities", 33 Resolution: "Use a more recent TLS/SSL policy for the load balancer", 34 Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`, 35 Links: []string{ 36 "https://pfs.nifcloud.com/service/lb_l4.htm", 37 }, 38 Terraform: &scan.EngineMetadata{ 39 GoodExamples: terraformUseSecureTlsPolicyGoodExamples, 40 BadExamples: terraformUseSecureTlsPolicyBadExamples, 41 Links: terraformUseSecureTlsPolicyLinks, 42 RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown, 43 }, 44 Severity: severity.Critical, 45 }, 46 func(s *state.State) (results scan.Results) { 47 for _, lb := range s.Nifcloud.Network.LoadBalancers { 48 for _, listener := range lb.Listeners { 49 for _, outdated := range outdatedSSLPolicies { 50 if listener.TLSPolicy.EqualTo(outdated) && listener.Protocol.EqualTo("HTTPS") { 51 results.Add( 52 "Listener uses an outdated TLS policy.", 53 listener.TLSPolicy, 54 ) 55 } else { 56 results.AddPassed(&listener) 57 } 58 } 59 } 60 } 61 return 62 }, 63 )