mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-12 15:50:15 -08:00
48dfedeb1e
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
105 lines
4.2 KiB
Go
105 lines
4.2 KiB
Go
package database
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/aquasecurity/trivy/pkg/iac/providers/azure/database"
|
|
"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
|
|
iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
|
|
)
|
|
|
|
func adaptPostgreSQLServers(deployment azure.Deployment) (databases []database.PostgreSQLServer) {
|
|
for _, resource := range deployment.GetResourcesByType("Microsoft.DBforPostgreSQL/servers") {
|
|
databases = append(databases, adaptPostgreSQLServer(resource, deployment))
|
|
}
|
|
|
|
return databases
|
|
}
|
|
|
|
func adaptPostgreSQLServer(resource azure.Resource, deployment azure.Deployment) database.PostgreSQLServer {
|
|
properties := resource.Properties
|
|
geoRedundantBackup := properties.GetMapValue("storageProfile").GetMapValue("geoRedundantBackup")
|
|
geoRedundantBackupEnabled := geoRedundantBackup.AsStringValue("Disabled", resource.Metadata)
|
|
|
|
threatDetectionPolicy := adaptThreatDetectionPolicy(resource, deployment)
|
|
|
|
return database.PostgreSQLServer{
|
|
Metadata: resource.Metadata,
|
|
Server: database.Server{
|
|
Metadata: resource.Metadata,
|
|
EnableSSLEnforcement: properties.GetMapValue("sslEnforcement").AsBoolValue(false, resource.Metadata),
|
|
MinimumTLSVersion: properties.GetMapValue("minimalTlsVersion").AsStringValue("TLSEnforcementDisabled", resource.Metadata),
|
|
EnablePublicNetworkAccess: properties.GetMapValue("publicNetworkAccess").AsBoolValue(false, resource.Metadata),
|
|
FirewallRules: addFirewallRule(resource),
|
|
},
|
|
Config: adaptPostgreSQLConfiguration(resource, deployment),
|
|
GeoRedundantBackupEnabled: iacTypes.Bool(geoRedundantBackupEnabled.EqualTo("Enabled"), geoRedundantBackup.GetMetadata()),
|
|
ThreatDetectionPolicy: threatDetectionPolicy,
|
|
}
|
|
}
|
|
|
|
func adaptPostgreSQLConfiguration(resource azure.Resource, deployment azure.Deployment) database.PostgresSQLConfig {
|
|
|
|
parent := fmt.Sprintf("%s/", resource.Name.AsString())
|
|
|
|
config := database.PostgresSQLConfig{
|
|
Metadata: resource.Metadata,
|
|
LogCheckpoints: iacTypes.BoolDefault(false, resource.Metadata),
|
|
ConnectionThrottling: iacTypes.BoolDefault(false, resource.Metadata),
|
|
LogConnections: iacTypes.BoolDefault(false, resource.Metadata),
|
|
LogDisconnections: iacTypes.BoolDefault(false, resource.Metadata),
|
|
}
|
|
|
|
for _, configuration := range deployment.GetResourcesByType("Microsoft.DBforPostgreSQL/servers/configurations") {
|
|
if !strings.HasPrefix(configuration.Name.AsString(), parent) {
|
|
continue
|
|
}
|
|
val := configuration.Properties.GetMapValue("value")
|
|
if strings.HasSuffix(configuration.Name.AsString(), "log_checkpoints") {
|
|
config.LogCheckpoints = val.AsBoolValue(false, configuration.Metadata)
|
|
continue
|
|
}
|
|
if strings.HasSuffix(configuration.Name.AsString(), "log_connections") {
|
|
config.LogConnections = val.AsBoolValue(false, configuration.Metadata)
|
|
continue
|
|
}
|
|
if strings.HasSuffix(configuration.Name.AsString(), "connection_throttling") {
|
|
config.ConnectionThrottling = val.AsBoolValue(false, configuration.Metadata)
|
|
continue
|
|
}
|
|
if strings.HasSuffix(configuration.Name.AsString(), "log_disconnections") {
|
|
config.LogDisconnections = val.AsBoolValue(false, configuration.Metadata)
|
|
continue
|
|
}
|
|
}
|
|
|
|
return config
|
|
}
|
|
|
|
func adaptThreatDetectionPolicy(resource azure.Resource, deployment azure.Deployment) database.ThreatDetectionPolicy {
|
|
// Threat detection policy is configured via Microsoft.DBforPostgreSQL/servers/securityAlertPolicies
|
|
// This is a separate child resource, not a property of the server resource
|
|
parent := fmt.Sprintf("%s/", resource.Name.AsString())
|
|
|
|
enabled := false
|
|
metadata := resource.Metadata
|
|
|
|
// Look for security alert policy resources that belong to this server
|
|
for _, policy := range deployment.GetResourcesByType("Microsoft.DBforPostgreSQL/servers/securityAlertPolicies") {
|
|
if !strings.HasPrefix(policy.Name.AsString(), parent) {
|
|
continue
|
|
}
|
|
// Found the security alert policy for this server
|
|
state := policy.Properties.GetMapValue("state").AsStringValue("Disabled", policy.Metadata)
|
|
enabled = state.EqualTo("Enabled")
|
|
metadata = policy.Properties.GetMapValue("state").GetMetadata()
|
|
break
|
|
}
|
|
|
|
return database.ThreatDetectionPolicy{
|
|
Metadata: metadata,
|
|
Enabled: iacTypes.Bool(enabled, metadata),
|
|
}
|
|
}
|