Skip to content

feat(query): implements "Beta - SQL DB Instance With Global User Options" #7789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat(query): implements "Beta - SQL DB Instance With Global User Options" #7789

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5f78982
initial implementation
cx-andre-pereira Oct 22, 2025
4b1c96f
Merge branch 'master' into AST-116633_20_6.3.4_ensure_'user_options'_…
cx-andre-pereira Oct 27, 2025
d695920
fixed tests
cx-andre-pereira Oct 27, 2025
64e2e37
Merge branch 'AST-116633_20_6.3.4_ensure_'user_options'_flag_is_not_c…
cx-andre-pereira Oct 27, 2025
68f19dd
Merge branch 'master' of https://github.com/Checkmarx/kics into AST-1…
cx-andre-pereira Oct 28, 2025
110239c
simId transition update
cx-andre-pereira Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"id": "c8e4444e-d9a9-4426-be8e-9f1b8c43133c",
"queryName": "Beta - SQL DB Instance With Global User Options",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "No 'google_sql_database_instance' resource based on SQLSERVER should define the 'user options' flag",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1",
"platform": "Terraform",
"descriptionID": "c8e4444e",
"cloudProvider": "gcp",
"cwe": "250",
"riskScore": "3.0",
"experimental": "true"
}
42 changes: 42 additions & 0 deletions assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
package Cx

import data.generic.common as common_lib
import data.generic.terraform as tf_lib

CxPolicy[result] {
resource := input.document[i].resource.google_sql_database_instance[name]

contains(resource.database_version, "SQLSERVER")
results := get_results(resource, name)

result := {
"documentId": input.document[i].id,
"resourceType": "google_sql_database_instance",
"resourceName": tf_lib.get_resource_name(resource, name),
"searchKey": results.searchKey,
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should set 'user options' to '0'", [name]),
"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'user options' to '%s'", [name, results.value]),
"searchLine": results.searchLine
}
}

get_results(resource, name) = results { # array
resource.settings.database_flags[x].name == "user options"
resource.settings.database_flags[x].value != "0"

results := {
"searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]),
"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []),
"value" : resource.settings.database_flags[x].value
}
} else = results { # single object
resource.settings.database_flags.name == "user options"
resource.settings.database_flags.value != "0"

results := {
"searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]),
"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []),
"value" : resource.settings.database_flags.value
}
}
84 changes: 84 additions & 0 deletions assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/negative.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
resource "google_sql_database_instance" "negative_1" {
name = "main-instance"
database_version = "MYSQL_8_0" # Is not a SQLSERVER instance
region = "us-central1"

settings {
tier = "db-f1-micro"

database_flags{
name = "user options"
value = "2048" # ANSI_NULL_DFLT_OFF option
}
}
}

resource "google_sql_database_instance" "negative_2" {
name = "mysql-instance-without-flag"
database_version = "SQLSERVER_2017_STANDARD"
region = "us-central1"

# Defaults to "0"
}

resource "google_sql_database_instance" "negative_3" {
name = "sqlserver-instance-without-flag"
database_version = "SQLSERVER_2017_STANDARD"
region = "us-central1"

settings {} # Defaults to "0"
}

resource "google_sql_database_instance" "negative_4" {
name = "sqlserver-instance-without-flag"
database_version = "SQLSERVER_2017_STANDARD"
region = "us-central1"

settings {
database_flags {
name = "sample_flag1"
value = "off"
}
# Defaults to "0"
}
}

resource "google_sql_database_instance" "negative_5" {
name = "mysql-instance-with-flag"
database_version = "SQLSERVER_2019_STANDARD"
region = "us-central1"

settings {
tier = "db-f1-micro"

database_flags {
name = "sample_flag1"
value = "off"
}

database_flags { # Has flag set to "0"
name = "user options"
value = "0"
}

database_flags {
name = "sample_flag2"
value = "off"
}
}
}

resource "google_sql_database_instance" "negative_6" { # Single object support test
name = "mysql-instance-with-flag"
database_version = "SQLSERVER_2019_STANDARD"
region = "us-central1"

settings {
tier = "db-f1-micro"

database_flags {
name = "user options"
value = "0"
} # Has flag set to "0"
}
}
35 changes: 35 additions & 0 deletions assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
resource "google_sql_database_instance" "positive_1" {
name = "sqlserver-instance-with-flag"
database_version = "SQLSERVER_2017_EXPRESS"
region = "us-central1"

settings {
database_flags {
name = "sample_flag1"
value = "off"
}

database_flags { # Flag is not set to "0" - "32" triggers "ANSI_NULLS" option
name = "user options"
value = "32"
}

database_flags {
name = "sample_flag2"
value = "off"
}
}
}

resource "google_sql_database_instance" "positive_2" { # Single object support test
name = "sqlserver-instance-with-flag"
database_version = "SQLSERVER_2017_EXPRESS"
region = "us-central1"

settings {
database_flags {
name = "user options"
value = "16"
} # Flag is not set to "0" - "16" triggers "ANSI_PADDING" option
}
}
12 changes: 12 additions & 0 deletions ...terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
[
{
"queryName": "Beta - SQL DB Instance With Global User Options",
"severity": "MEDIUM",
"line": 13
},
{
"queryName": "Beta - SQL DB Instance With Global User Options",
"severity": "MEDIUM",
"line": 31
}
]
4 changes: 4 additions & 0 deletions assets/similarityID_transition/terraform_gcp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,7 @@ similarityIDChangeList:
queryName: Beta - Google DNS Policy Logging Disabled
observations: ""
change: 2
- queryId: c8e4444e-d9a9-4426-be8e-9f1b8c43133c
queryName: Beta - SQL DB Instance With Global User Options
observations: ""
change: 2
Loading