fix(query): add supports for Microsoft.Web/sites/config on Web App Not Using TLS Last Version for AzureResourceManager

[cx-ricardo-jesus]

Reason for Proposed Changes

• Currently the query "Web App Not Using TLS Last Version" does not take into account the scenarios where a resource of type Microsoft.Web/sites/config, which is a 'child' resource from Microsoft.Web/sites, does not have the field minTlsVersion defined or when it's defined to a version below 1.2.

Proposed Changes

• With these changes, the query now has two policies.
• The first policy still covers the same scenarios as before, which were the scenarios where the field siteConfig.minTlsVersion was not defined or when it was defined to a version that is not either 1.2 or 1.3. The only changes in this policy are that it also searches for child resources and verifies if there are none. This is to prevent this policy from flagging the cases when the parent resource of type Microsoft.Web/sites does not have the field minTlsVersion defined, but the child resource of type Microsoft.Web/sites/config can have or not any vulnerable configuration, which the second policy targets.
• The second policy is for the cases when a parent resource of type Microsoft.Web/sites has one or more child resources of type Microsoft.Web/sites/config and use an helper function called check_tls_version to handle all three scenarios:
  • When a child resource does not have the field minTlsVersion defined, and the parent resource has the field defined to a version that is not either 1.2 or 1.3.
  • When both the parent and child resource don't have the field minTlsVersion defined.
  • When the child resource has the field defined with a value that is not either 1.2 or 1.3.
• Besides all the changes mentioned above, I also made changes in order to remove the usage of the walk function, as this walk function can cause some performance degradation.
• On the Web App Not Using TLS Last Version, I added the helper function web_site_resources that replaces the usage of walk() built-in function to find resources of type Microsoft.Web/sites.
• The function iterates in three locations: root level resources, resources inside templates and resources nested inside other resources.
• On the query SQL Server Database Without Auditing, added the helper function sql_database_resources that also replaces the usage of the walk() built-in function. Also added the helper function get_outer_children_resources that replaces the usage of the walk function inside the get_outer_children function.
• Both functions in this last query support two levels of nested resources, and the helper function used in the first query only supports one level of nested resources.
• For now, this is enough to cover the cases that the queries cover.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.18

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-artur-ribeiro]

Hey Ricardo, nice changes overall, glad you noticed the missing positive test.
However, I've seen that for 2 cases that I've pointed out below, the 'search_line' is -1. Can you check why and fix it please?

[cx-artur-ribeiro]

Nice work refactoring the queries to take into consideration more cases Ricardo!