terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version
semgrep
Author
unknown
Download Count*
License
Ensure MSSQL is using the latest version of TLS encryption
Run Locally
Run in CI
Defintion
rules:
- id: azure-mssql-service-mintls-version
message: Ensure MSSQL is using the latest version of TLS encryption
patterns:
- pattern-either:
- pattern: |
"1.0"
- pattern: |
"1.1"
- pattern-inside: minimum_tls_version = ...
- pattern-inside: |
$RESOURCE "azurerm_mssql_server" "..." {
...
}
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
category: security
technology:
- terraform
- azure
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- hcl
severity: WARNING
Examples
azure-mssql-service-mintls-version.tf
# fail
resource "azurerm_mssql_server" "examplea" {
name = var.server_name
resource_group_name = var.resource_group.name
location = var.resource_group.location
version = var.sql["version"]
administrator_login = var.sql["administrator_login"]
administrator_login_password = local.administrator_login_password
# ruleid: azure-mssql-service-mintls-version
minimum_tls_version = "1.0"
public_network_access_enabled = var.sql["public_network_access_enabled"]
identity {
type = "SystemAssigned"
}
tags = var.common_tags
}
# pass
resource "azurerm_mssql_server" "examplea" {
name = var.server_name
resource_group_name = var.resource_group.name
location = var.resource_group.location
version = var.sql["version"]
administrator_login = var.sql["administrator_login"]
administrator_login_password = local.administrator_login_password
minimum_tls_version = "1.2"
public_network_access_enabled = var.sql["public_network_access_enabled"]
identity {
type = "SystemAssigned"
}
tags = var.common_tags
}
Short Link: https://sg.run/B1lW