search

aquasecurity / chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Apache License 2.0
712 stars 63 forks source link

1.1.16 and 1.1.17 producing false positives #123

Open chuglo opened 1 year ago

chuglo commented 1 year ago

Description

1.1.16 states that for each repository in use, we must validate that no one can “force push” code.

1.1.17 states that for each repository that is being used, we must verify that protected branches cannot be deleted.

The rule logic for these two benchmarks appears to be written in such a way that it produces false positives. When Allow force pushes and Allow deletions are checked, thus permitting the ability to force pushes and/or delete branches, Chain-Bench outputs a Passed where a Failed would be expected.

Screenshot 2023-03-17 at 10 42 29 AM Screenshot 2023-03-17 at 10 43 18 AM

The opposite will happen if you have them unchecked - you'll get a Failed result.

Looking at the rule logic in question

#Looking for default branch protection that restrict force push to branch
CbPolicy[msg] {
    not is_no_branch_protection
    is_branch_protection_restrict_force_push
    msg := {"ids": ["1.1.16"], "status": constsLib.status.Failed}
}

#Looking for default branch protection that restrict who can delete protected branch
CbPolicy[msg] {
    not is_no_branch_protection
    is_branch_protection_restrict_delete_branch
    msg := {"ids": ["1.1.17"], "status": constsLib.status.Failed}
}

this reads to say "when the branch is protected and disallows force pushes or deletions (in other words, if AllowForcePushes and AllowDeletions == false), produce a Failed result. In my mind, this should read as "when the branch is protected and allows force pushes or deletes, produce a Failed result.

Prepending not to both L226 and L233 causes Chain-Bench to produce an expected result.

ad-mcas commented 1 week ago

I don't know for 1.1.17, but for 1.1.16 the program has wrong.

Actual Result (if "allow_force_push": true in protected branch of gitlab):

1.1.16   Ensure force pushes code to branches is denied                   Failed

Excepted Result:

1.1.16   Ensure force pushes code to branches is denied                    Passed

And Actual Result (if "allow_force_push": false in protected branch of gitlab):

1.1.16   Ensure force pushes code to branches is denied                     Passed

Excepted Result:

1.1.16   Ensure force pushes code to branches is denied                     Failed

If we look others rules (for instance 1.1.12), the method to check the rule is always negative.

So for 1.1.16, the rule must be:

 CbPolicy[msg] {
    not is_no_branch_protection
    is_branch_protection_not_restrict_force_push
    msg := {"ids": ["1.1.16"], "status": constsLib.status.Failed}
}

with is_branch_protection_not_restrict_force_push:

is_branch_protection_not_restrict_force_push {
    input.BranchProtections.AllowForcePushes == true
}