Skip to content

Commit 9f0114c

Browse files
GeekMasherGeekMasher
committed
feat(query): Add Weak TLS Version query
1 parent 7d231a7 commit 9f0114c

File tree

5 files changed

+69
-0
lines changed

5 files changed

+69
-0
lines changed

ql/src/security/CWE-327/WeakTlsVersion.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Weak TLS Version
2+
3+
This query detects Azure resources that are configured to use weak or deprecated TLS versions, such as TLS 1.0 or TLS 1.1. Using outdated TLS versions exposes services to known vulnerabilities and increases the risk of data breaches or man-in-the-middle attacks. It is a security best practice to require the latest supported TLS version (such as TLS 1.2 or higher) for all resources.
4+
5+
## Bad Example: Weak TLS Version Configured
6+
7+
```bicep
8+
resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
9+
name: 'weaktlsdb'
10+
location: 'eastus'
11+
properties: {
12+
minimalTlsVersion: '1.0' // BAD: Weak TLS version
13+
}
14+
}
15+
```
16+
17+
## Good Example: Strong TLS Version Configured
18+
19+
```bicep
20+
resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
21+
name: 'securetlsdb'
22+
location: 'eastus'
23+
properties: {
24+
minimalTlsVersion: '1.2' // GOOD: Strong TLS version
25+
}
26+
}
27+
```

ql/src/security/CWE-327/WeakTlsVersion.ql

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
/**
2+
* @name Weak TLS Version
3+
* @description Weak TLS versions (1.0 and 1.1) should not be used as they are considered insecure.
4+
* @kind problem
5+
* @problem.severity error
6+
* @security-severity 8.0
7+
* @precision high
8+
* @id bicep/weak-tls-version
9+
* @tags security
10+
* bicep
11+
* azure
12+
* cryptography
13+
*/
14+
import bicep
15+
16+
from Cryptography::WeakTlsVersion resource
17+
where
18+
resource.hasWeakTlsVersion()
19+
select resource.getWeakTlsVersionProperty(), "Weak TLS version detected"

ql/test/queries-tests/security/CWE-327/WeakTlsVersion/WeakTlsVersion.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
| app.bicep:18:24:18:28 | String | Weak TLS version detected |

ql/test/queries-tests/security/CWE-327/WeakTlsVersion/WeakTlsVersion.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
security/CWE-327/WeakTlsVersion.ql

ql/test/queries-tests/security/CWE-327/WeakTlsVersion/app.bicep

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
2+
// Secure
3+
resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
4+
name: 'securetlsdb'
5+
location: 'eastus'
6+
properties: {
7+
minimalTlsVersion: '1.2' // GOOD: Strong TLS version
8+
}
9+
}
10+
11+
// Bad
12+
resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
13+
name: 'publicdbserver'
14+
location: 'eastus'
15+
properties: {
16+
version: '12.0'
17+
publicNetworkAccess: 'Enabled' // BAD: Database is publicly accessible
18+
minimalTlsVersion: '1.0' // BAD: Weak TLS version
19+
sslEnforcement: 'Disabled' // BAD: SSL enforcement is disabled
20+
}
21+
}

0 commit comments

Comments
 (0)