terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1
semgrep
Author
unknown
Download Count*
License
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
Run Locally
Run in CI
Defintion
rules:
- id: gcp-dns-key-specs-rsasha1
patterns:
- pattern: resource
- pattern-inside: |
resource "google_dns_managed_zone" "..." {
...
dnssec_config {
...
default_key_specs {
...
algorithm = "rsasha1"
key_type = "zoneSigning"
...
}
...
}
...
}
- pattern-inside: |
resource "google_dns_managed_zone" "..." {
...
dnssec_config {
...
default_key_specs {
...
algorithm = "rsasha1"
key_type = "keySigning"
...
}
...
}
...
}
message: "Ensure that RSASHA1 is not used for the zone-signing and key-signing
keys in Cloud DNS DNSSEC\t"
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
category: security
technology:
- terraform
- gcp
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- hcl
severity: WARNING
Examples
gcp-dns-key-specs-rsasha1.tf
# fail
# ruleid: gcp-dns-key-specs-rsasha1
resource "google_dns_managed_zone" "fail" {
name = "example-zone"
dns_name = "example-de13he3.com."
description = "Example DNS zone"
dnssec_config {
state = on
default_key_specs {
algorithm = "rsasha1"
key_length = 1024
key_type = "zoneSigning"
}
default_key_specs {
algorithm = "rsasha1"
key_length = 2048
key_type = "keySigning"
}
}
}
# ok: gcp-dns-key-specs-rsasha1
resource "google_dns_managed_zone" "success" {
name = "example-zone"
dns_name = "example-de13he3.com."
description = "Example DNS zone"
dnssec_config {
state = on
default_key_specs {
algorithm = "rsasha256"
key_length = 1024
key_type = "zoneSigning"
}
default_key_specs {
algorithm = "rsasha256"
key_length = 2048
key_type = "keySigning"
}
}
}
Short Link: https://sg.run/bKKW