fix(query): add supports for Microsoft.Web/sites/config on Web App Not Using TLS Last Version for AzureResourceManager

[cx-ricardo-jesus]

Reason for Proposed Changes

• Currently the query "Web App Not Using TLS Last Version" does not take into account the scenarios where a resource of type Microsoft.Web/sites/config, which is a 'child' resource from Microsoft.Web/sites, does not have the field minTlsVersion defined or when it's defined to a version below 1.2.

Proposed Changes

• With these changes, the query now has two policies.
• The first policy still covers the same scenarios as before, which were the scenarios where the field siteConfig.minTlsVersion was not defined or when it was defined to a version that is not either 1.2 or 1.3. The only changes in this policy are that it also searches for child resources and verifies if there are none. This is to prevent this policy from flagging the cases when the parent resource of type Microsoft.Web/sites does not have the field minTlsVersion defined, but the child resource of type Microsoft.Web/sites/config can have or not any vulnerable configuration, which the second policy targets.
• The second policy is for the cases when a parent resource of type Microsoft.Web/sites has one or more child resources of type Microsoft.Web/sites/config and use an helper function called check_tls_version to handle all three scenarios:
  • When a child resource does not have the field minTlsVersion defined, and the parent resource has the field defined to a version that is not either 1.2 or 1.3.
  • When both the parent and child resource don't have the field minTlsVersion defined.
  • When the child resource has the field defined with a value that is not either 1.2 or 1.3.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.18

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0