terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure MSSQL is using the latest version of TLS encryption

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: azure-mssql-service-mintls-version
    message: Ensure MSSQL is using the latest version of TLS encryption
    patterns:
      - pattern-either:
          - pattern: |
              "1.0"
          - pattern: |
              "1.1"
      - pattern-inside: minimum_tls_version = ...
      - pattern-inside: |
          $RESOURCE "azurerm_mssql_server" "..." {
          ...
          }
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

Examples

azure-mssql-service-mintls-version.tf

# fail
resource "azurerm_mssql_server" "examplea" {
    name                          = var.server_name
    resource_group_name           = var.resource_group.name
    location                      = var.resource_group.location
    version                       = var.sql["version"]
    administrator_login           = var.sql["administrator_login"]
    administrator_login_password  = local.administrator_login_password
    # ruleid: azure-mssql-service-mintls-version
    minimum_tls_version           = "1.0"
    public_network_access_enabled = var.sql["public_network_access_enabled"]
    identity {
    type = "SystemAssigned"
    }
    tags = var.common_tags
}

# pass
resource "azurerm_mssql_server" "examplea" {
    name                          = var.server_name
    resource_group_name           = var.resource_group.name
    location                      = var.resource_group.location
    version                       = var.sql["version"]
    administrator_login           = var.sql["administrator_login"]
    administrator_login_password  = local.administrator_login_password
    minimum_tls_version           = "1.2"
    public_network_access_enabled = var.sql["public_network_access_enabled"]
    identity {
    type = "SystemAssigned"
    }
    tags = var.common_tags
}