Bump armsecurity

elastic · Aug 26, 2024 · f3a1a9b · f3a1a9b
1 parent e2448ec
commit f3a1a9b
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 36 deletions.
diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/postgresql/armpostgresqlflexibleservers v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions v1.3.0
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.13.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.14.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0
 	github.com/aquasecurity/go-dep-parser v0.0.0-20240606050805-1de9a375c629

diff --git a/go.sum b/go.sum
@@ -470,8 +470,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions v1.3.0 h1:wxQx2Bt4xzPIKvW59WQf1tJNx/ZZKPfN+EhPX3Z6CYY=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions v1.3.0/go.mod h1:TpiwjwnW/khS0LKs4vW5UmmT9OWcxaveS8U7+tlknzo=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.13.0 h1:bvkjXDmjYA1qRJwqI+mmFYKioiLRUbR1eAOWsf4a+e4=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.13.0/go.mod h1:rVjowC1tCYv0Uw9/YHbrLzUjuTb8nMqih36SmasUhEo=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.14.0 h1:JfjIyBJvEvQNP/9MEUo1/6eoiPkiag2OZImw32xakcc=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.14.0/go.mod h1:HakuHOrWlp2G1WlFvkL7JApTZAbxRJnRiz+w4SYak5s=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql v1.2.0 h1:S087deZ0kP1RUg4pU7w9U9xpUedTCbOtz+mnd0+hrkQ=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql v1.2.0/go.mod h1:B4cEyXrWBmbfMDAPnpJ1di7MAt5DKP57jPEObAvZChg=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0 h1:PiSrjRPpkQNjrM8H0WwKMnZUdu1RGMtd/LdGKUrOo+c=

diff --git a/internal/resources/providers/azurelib/inventory/security_provider.go b/internal/resources/providers/azurelib/inventory/security_provider.go
@@ -161,7 +161,7 @@ func (p *securityContactsProvider) ListSecurityContacts(ctx context.Context, sub
 func (p *securityContactsProvider) transformSecurityContract(contact *armsecurity.Contact, subscriptionID string) AzureAsset {
 	properties := map[string]any{}
 
-	maps.AddIfNotNil(properties, "alertNotifications", contact.Properties.AlertNotifications)
+	maps.AddIfSliceNotEmpty(properties, "notificationsSources", contact.Properties.NotificationsSources)
 	maps.AddIfNotNil(properties, "emails", contact.Properties.Emails)
 	maps.AddIfNotNil(properties, "notificationsByRole", contact.Properties.NotificationsByRole)
 	maps.AddIfNotNil(properties, "phone", contact.Properties.Phone)

diff --git a/internal/resources/providers/azurelib/inventory/security_provider_test.go b/internal/resources/providers/azurelib/inventory/security_provider_test.go
@@ -33,9 +33,9 @@ func TestListSecurityContacts(t *testing.T) {
 	notificationsByRole := func(roles []string, state string) *armsecurity.ContactPropertiesNotificationsByRole {
 		n := &armsecurity.ContactPropertiesNotificationsByRole{}
 		n.State = (*armsecurity.State)(&state)
-		n.Roles = make([]*armsecurity.Roles, 0, len(roles))
+		n.Roles = make([]*armsecurity.SecurityContactRole, 0, len(roles))
 		for _, r := range roles {
-			n.Roles = append(n.Roles, (*armsecurity.Roles)(&r))
+			n.Roles = append(n.Roles, (*armsecurity.SecurityContactRole)(&r))
 		}
 		return n
 	}

diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/rule.rego
@@ -19,10 +19,13 @@ finding = result if {
 default notification_alert_high = false
 
 notification_alert_high if {
-	# Ensure at least one Security Contact Settings exists and alertNotifications severity is set to high.
+	# Ensure at least one Security Contact Settings exists and alertNotifications severity is set to high, low, or medium.
 	some security_contact in data_adapter.resource
 
 	security_contact.name == "default"
-	lower(security_contact.properties.alertNotifications.state) == "on"
-	lower(security_contact.properties.alertNotifications.minimalSeverity) in ["low", "medium", "high"]
+
+	some notification_source in security_contact.properties.notificationsSources
+
+	lower(notification_source.sourceType) == "alert"
+	lower(notification_source.minimalSeverity) in ["low", "medium", "high"]
 }
diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/test.rego
@@ -8,74 +8,74 @@ import future.keywords.if
 test_violation if {
 	eval_fail with input as test_data.generate_security_contacts([test_data.generate_single_security_contact(
 		"default",
-		prop_alert_notifications({
-			"state": "Off",
+		prop_notification_sources([{
 			"minimalSeverity": "Medium",
-		}),
+			"sourceType": "Another",
+		}]),
 	)])
 
 	eval_fail with input as test_data.generate_security_contacts([test_data.generate_single_security_contact(
 		"default",
-		prop_alert_notifications({"state": "On"}),
+		prop_notification_sources([{"sourceType": "Alert"}]),
 	)])
 
 	eval_fail with input as test_data.generate_security_contacts([
 		test_data.generate_single_security_contact(
 			"non-default",
-			prop_alert_notifications({
-				"state": "On",
+			prop_notification_sources([{
 				"minimalSeverity": "High",
-			}),
+				"sourceType": "Alert",
+			}]),
 		),
 		test_data.generate_single_security_contact(
 			"default",
-			prop_alert_notifications({
-				"state": "On",
-				"minimalSeverity": "Wrong Value",
-			}),
+			prop_notification_sources([{
+				"minimalSeverity": "Wrong value",
+				"sourceType": "Alert",
+			}]),
 		),
 	])
 }
 
 test_pass if {
 	eval_pass with input as test_data.generate_security_contacts([test_data.generate_single_security_contact(
 		"default",
-		prop_alert_notifications({
-			"state": "On",
+		prop_notification_sources([{
 			"minimalSeverity": "High",
-		}),
+			"sourceType": "Alert",
+		}]),
 	)])
 
 	eval_pass with input as test_data.generate_security_contacts([test_data.generate_single_security_contact(
 		"default",
-		prop_alert_notifications({
-			"state": "On",
+		prop_notification_sources([{
 			"minimalSeverity": "Medium",
-		}),
+			"sourceType": "Alert",
+		}]),
 	)])
 
 	eval_pass with input as test_data.generate_security_contacts([test_data.generate_single_security_contact(
 		"default",
-		prop_alert_notifications({
-			"state": "On",
+		prop_notification_sources([{
 			"minimalSeverity": "Low",
-		}),
+			"sourceType": "Alert",
+		}]),
 	)])
 
 	eval_pass with input as test_data.generate_security_contacts([
 		test_data.generate_single_security_contact(
 			"non-default",
-			prop_alert_notifications({
-				"state": "On",
+			prop_notification_sources([{
 				"minimalSeverity": "Low",
-			}),
+				"sourceType": "Alert",
+			}]),
 		),
 		test_data.generate_single_security_contact(
 			"default",
-			prop_alert_notifications({
-				"state": "On",
+			prop_notification_sources([{
 				"minimalSeverity": "High",
-			}),
+				"sourceType": "Alert",
+			}]),
 		),
 	])
 }
@@ -96,4 +96,4 @@ not_eval if {
 	not finding with data.benchmark_data_adapter as data_adapter
 }
 
-prop_alert_notifications(alertNotifications) = {"alertNotifications": alertNotifications}
+prop_notification_sources(notificationsSource) = {"notificationsSources": notificationsSource}