- What language is this for? Bicep/AzureResourceManager
- Which rule? several, see below
- Why do you believe it’s a false-positive/false-negative? The setting of the property is not allowed
- Are you using
- SonarQube - which version? 10.3.0.82913 developer edition
- How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
In a bicep file, create an existing resource and run the analyzer, you will get security hotspots on missing properties like:
resource functionApp 'Microsoft.Web/sites@2021-03-01' existing = {
name: '${prefixName}-func'
}
gives the following security hotspots:
- Omitting “clientCertEnabled” disables certificate-based authentication. Make sure it is safe here, azureresourcemanager:S6382
- Omitting authsettingsV2 disables authentication. Make sure it is safe here, azureresourcemanager:S6380
- Omitting “httpsOnly” allows the use of clear-text protocols. Make sure it is safe here, azureresourcemanager:S5332
- Omitting the “identity” block disables Azure Managed Identities. Make sure it is safe here, azureresourcemanager:S6378
It also happens with other types of resources like
resource kv 'Microsoft.KeyVault/vaults@2022-11-01' existing = {
name: '${prefixName}-kv'
}
this gives the following security hotspot:
- Omitting ‘enableRbacAuthorization’ disables role-based access control for this resource. Make sure it is safe here, azureresourcemanager:S6383
These rules (and others) should not be triggered if the existing is present on the resource as it’s not allowed to define these settings on existing resources.