Add check for microsoft as a publisher (bridgecrewio#2737)

Co-authored-by: Derek Moore <[email protected]>
ntravis · Apr 1, 2022 · c87677b · c87677b
1 parent 4056ee3
commit c87677b
Show file tree

Hide file tree

Showing 3 changed files with 225 additions and 1 deletion.
diff --git a/checkov/arm/checks/resource/AzureInstancePassword.py b/checkov/arm/checks/resource/AzureInstancePassword.py
@@ -20,7 +20,8 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
                 image_reference = storage_profile.get("imageReference")
                 if isinstance(image_reference, dict):
                     publisher = image_reference.get("publisher")
-                    if publisher and "windows" in publisher.lower():
+                    if publisher and ("windows" in publisher.lower() or
+                                      "microsoft" in publisher.lower()):
                         # This check is not relevant to Windows systems
                         return CheckResult.UNKNOWN
 

diff --git a/tests/arm/checks/resource/example_AzureInstancePassword/UNKNOWN_1.json b/tests/arm/checks/resource/example_AzureInstancePassword/UNKNOWN_1.json
@@ -0,0 +1,222 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.4.1272.37030",
+      "templateHash": "8632881811182083410"
+    }
+  },
+  "parameters": {
+    "vmName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the VM"
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "metadata": {
+        "description": "The virtual machine size."
+      }
+    },
+    "vmResouceGroupLocation": {
+      "type": "string",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "vnetResourceGroup": {
+      "type": "string",
+      "metadata": {
+        "description": "Virtual Network Resource Group"
+      }
+    },
+    "subnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the subnet within the virtual network"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the existing virtual network"
+      }
+    },
+    "osDiskType": {
+      "type": "string",
+      "metadata": {
+        "description": "Determines the storage type used for the OS disk"
+      }
+    },
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "The admin user name of the VM"
+      }
+    },
+    "clientSecret": {
+      "type": "secureString",
+      "metadata": {
+        "description": "The admin password of the VM"
+      }
+    },
+    "timeZone": {
+      "type": "string",
+      "metadata": {
+        "description": "TimeZone"
+      }
+    },
+    "diagstorageName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the storage account for boot diagnostics and VM diagnostics"
+      }
+    },
+    "sqlVirtualMachineName": {
+      "type": "string",
+      "metadata": {
+        "description": "Same as the vmName"
+      }
+    },
+    "sqlDataDisksCount": {
+      "type": "int",
+      "maxValue": 8,
+      "minValue": 1,
+      "metadata": {
+        "description": "Amount of data disks (1TB each) for SQL Data files"
+      }
+    },
+    "dataPath": {
+      "type": "string",
+      "metadata": {
+        "description": "Path for SQL Data files. Please choose drive letter from F to Z, and other drives from A to E are reserved for system"
+      }
+    },
+    "sqlLogDisksCount": {
+      "type": "int",
+      "maxValue": 8,
+      "minValue": 1,
+      "metadata": {
+        "description": "Amount of data disks (1TB each) for SQL Log files"
+      }
+    },
+    "logPath": {
+      "type": "string",
+      "metadata": {
+        "description": "Path for SQL Log files. Please choose drive letter from F to Z and different than the one used for SQL data. Drive letter from A to E are reserved for system"
+      }
+    },
+    "tempDbPath": {
+      "type": "string",
+      "metadata": {
+        "description": "Path for SQL tempdb files. Please choose drive letter from F to Z and different than the one used for SQL data. Drive letter from A to E are reserved for system"
+      }
+    },
+    "resourceTags": {
+      "type": "object",
+      "metadata": {
+        "description": "This will be used as a tag"
+      }
+    },
+    "OSDiskSize": {
+      "type": "int",
+      "metadata": {
+        "description": "Determines the size of the default data disk in GB"
+      }
+    }
+  },
+  "variables": {
+    "networkInterfaceName_var": "[format('nic-{0}-001', parameters('vmName'))]",
+    "osDisk": "[format('{0}-osDisk', parameters('vmName'))]",
+    "diskConfigurationType": "NEW",
+    "dataDisksLuns": "[array(range(0, parameters('sqlDataDisksCount')))]",
+    "logDisksLuns": "[array(range(parameters('sqlDataDisksCount'), parameters('sqlLogDisksCount')))]",
+    "dataDisks": {
+      "caching": "ReadOnly",
+      "writeAcceleratorEnabled": false,
+      "storageAccountType": "Premium_LRS",
+      "dataDiskSize": 1023
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2021-11-01",
+      "name": "[parameters('vmName')]",
+      "location": "[parameters('vmResouceGroupLocation')]",
+      "tags": "[parameters('resourceTags')]",
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "[parameters('vmSize')]"
+        },
+        "storageProfile": {
+          "copy": [
+            {
+              "name": "dataDisks",
+              "count": "[length(range(0, add(parameters('sqlDataDisksCount'), parameters('sqlLogDisksCount'))))]",
+              "input": {
+                "lun": "[range(0, add(parameters('sqlDataDisksCount'), parameters('sqlLogDisksCount')))[copyIndex('dataDisks')]]",
+                "createOption": "Empty",
+                "caching": "[if(greaterOrEquals(range(0, add(parameters('sqlDataDisksCount'), parameters('sqlLogDisksCount')))[copyIndex('dataDisks')], parameters('sqlDataDisksCount')), 'None', variables('dataDisks').caching)]",
+                "writeAcceleratorEnabled": "[variables('dataDisks').writeAcceleratorEnabled]",
+                "diskSizeGB": "[variables('dataDisks').dataDiskSize]",
+                "managedDisk": {
+                  "storageAccountType": "[variables('dataDisks').storageAccountType]"
+                }
+              }
+            }
+          ],
+          "osDisk": {
+            "name": "[variables('osDisk')]",
+            "diskSizeGB": "[parameters('OSDiskSize')]",
+            "createOption": "FromImage",
+            "managedDisk": {
+              "storageAccountType": "[parameters('osDiskType')]"
+            }
+          },
+          "imageReference": {
+            "publisher": "MicrosoftSQLServer",
+            "offer": "sql2019-ws2022",
+            "sku": "enterprise-gen2",
+            "version": "latest"
+          }
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName_var'))]"
+            }
+          ]
+        },
+        "osProfile": {
+          "computerName": "[parameters('vmName')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "adminPassword": "[parameters('clientSecret')]",
+          "windowsConfiguration": {
+            "enableAutomaticUpdates": true,
+            "provisionVMAgent": true,
+            "timeZone": "[parameters('timeZone')]"
+          }
+        },
+        "diagnosticsProfile": {
+          "bootDiagnostics": {
+            "enabled": true,
+            "storageUri": "[format('http://{0}.blob.core.windows.net', parameters('diagstorageName'))]"
+          }
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName_var'))]"
+      ]
+    }
+  ],
+  "outputs": {
+    "adminUsername": {
+      "type": "string",
+      "value": "[parameters('adminUsername')]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/test_AzureInstancePassword.py b/tests/arm/checks/resource/test_AzureInstancePassword.py
@@ -31,6 +31,7 @@ def test_summary(self):
         self.assertEqual(summary["failed"], 1)
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
+        self.assertEqual(summary["resource_count"], 17)  # includes 2 unknown
 
         self.assertEqual(passing_resources, passed_check_resources)
         self.assertEqual(failing_resources, failed_check_resources)