typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public
semgrepAuthor
unknown
Download Count*
License
CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.
Run Locally
Run in CI
Defintion
rules:
- id: awscdk-codebuild-project-public
message: CodeBuild Project $X is set to have a public URL. This will make the
build results, logs, artifacts publically accessible, including builds
prior to the project being public. Ensure this is acceptable for the
project.
metadata:
category: security
cwe:
- "CWE-306: Missing Authentication for Critical Function"
technology:
- AWS-CDK
references:
- https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html
owasp:
- A07:2021 - Identification and Authentication Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
languages:
- ts
severity: WARNING
pattern-either:
- patterns:
- pattern-inside: |
import {Project} from '@aws-cdk/aws-codebuild'
...
- pattern: |
const $X = new Project(..., {..., badge: true, ...})
- patterns:
- pattern-inside: |
import * as $Y from '@aws-cdk/aws-codebuild'
...
- pattern: |
const $X = new $Y.Project(..., {..., badge: true, ...})
Examples
awscdk-codebuild-project-public.ts
import * as s3 from '@aws-cdk/aws-s3';
import * as cdk from '@aws-cdk/core';
import * as codebuild from '@aws-cdk/aws-codebuild'
import * as rename_codebuild from '@aws-cdk/aws-codebuild'
import {Project, Source} from '@aws-cdk/aws-codebuild'
export class CdkStarterStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// ruleid:awscdk-codebuild-project-public
const publicProject1 = new codebuild.Project(this, 'publicProject', {
badge: true
})
const bucket = new s3.Bucket()
// ok:awscdk-codebuild-project-public
const privateProject1 = codebuild.Project(this, 'privateProject1', {
source: codebuild.Source.s3({
bucket: bucket,
path: 'path/to/file.zip',
}),
})
// ok:awscdk-codebuild-project-public
const privateProject2 = codebuild.Project(this, 'privateProject2', {
badge: false
})
// ok:awscdk-codebuild-project-public
const privateProject3 = codebuild.Project(this, 'privateProject3')
// ruleid:awscdk-codebuild-project-public
const publicProject1Renamed = new rename_codebuild.Project(this, 'publicProject', {
badge: true
})
// ok:awscdk-codebuild-project-public
const privateProject1Renamed = rename_codebuild.Project(this, 'privateProject1', {
source: rename_codebuild.Source.s3({
bucket: bucket,
path: 'path/to/file.zip',
}),
})
// ok:awscdk-codebuild-project-public
const privateProject2Renamed = rename_codebuild.Project(this, 'privateProject2', {
badge: false
})
// ok:awscdk-codebuild-project-public
const privateProject3Renamed = rename_codebuild.Project(this, 'privateProject3')
// ruleid:awscdk-codebuild-project-public
const publicProject1Direct = new Project(this, 'publicProject', {
badge: true
})
// ok:awscdk-codebuild-project-public
const privateProject1Direct = Project(this, 'privateProject1', {
source: Source.s3({
bucket: bucket,
path: 'path/to/file.zip',
}),
})
// ok:awscdk-codebuild-project-public
const privateProject2Direct = Project(this, 'privateProject2', {
badge: false
})
// ok:awscdk-codebuild-project-public
const privateProject3Direct = Project(this, 'privateProject3')
}
}
Short Link: https://sg.run/nK7G