feat(tests): Add tests for Database queries

Author: GeekMasher

ql/test/queries-tests/security/CWE-284/DatabasePublicNetworkAccess/DatabasePublicNetworkAccess.expected

@@ -0,0 +1,3 @@
+| app.bicep:8:26:8:34 | String | Database 'vulnerable-sql-server' has public network access enabled, making it accessible from the internet. |
+| app.bicep:19:26:19:34 | String | Database 'vulnerable-postgresql' has public network access enabled, making it accessible from the internet. |
+| app.bicep:31:26:31:34 | String | Database 'vulnerable-mysql' has public network access enabled, making it accessible from the internet. |

ql/test/queries-tests/security/CWE-284/DatabasePublicNetworkAccess/DatabasePublicNetworkAccess.qlref

@@ -0,0 +1 @@
+security/CWE-284/DatabasePublicNetworkAccess.ql

ql/test/queries-tests/security/CWE-284/DatabasePublicNetworkAccess/app.bicep

@@ -0,0 +1,71 @@
+// Test cases for database public network access detection
+
+// TEST CASE: Vulnerable - SQL Server with public network access enabled
+resource vulnerableSqlServer 'Microsoft.Sql/servers@2021-11-01' = {
+  name: 'vulnerable-sql-server'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Enabled'  // Should be detected
+    administratorLogin: 'sqladmin'
+    administratorLoginPassword: 'Password123!'
+  }
+}
+
+// TEST CASE: Vulnerable - PostgreSQL with public network access enabled
+resource vulnerablePostgreSQL 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: 'vulnerable-postgresql'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Enabled'  // Should be detected
+    administratorLogin: 'pgadmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+  }
+}
+
+// TEST CASE: Vulnerable - MySQL with public network access enabled
+resource vulnerableMySQL 'Microsoft.DBforMySQL/servers@2017-12-01' = {
+  name: 'vulnerable-mysql'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Enabled'  // Should be detected
+    administratorLogin: 'mysqladmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+  }
+}
+
+// TEST CASE: Secure - SQL Server with public network access disabled
+resource secureSqlServer 'Microsoft.Sql/servers@2021-11-01' = {
+  name: 'secure-sql-server'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Disabled'  // Should NOT be detected
+    administratorLogin: 'sqladmin'
+    administratorLoginPassword: 'Password123!'
+  }
+}
+
+// TEST CASE: Secure - PostgreSQL with public network access disabled
+resource securePostgreSQL 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: 'secure-postgresql'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Disabled'  // Should NOT be detected
+    administratorLogin: 'pgadmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+  }
+}
+
+// TEST CASE: Secure - MySQL without explicit public network access (defaults to disabled)
+resource defaultMySQL 'Microsoft.DBforMySQL/servers@2017-12-01' = {
+  name: 'default-mysql'
+  location: 'eastus'
+  properties: {
+    // publicNetworkAccess not specified - should NOT be detected
+    administratorLogin: 'mysqladmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+  }
+}

ql/test/queries-tests/security/CWE-311/DatabaseNoInfrastructureEncryption/DatabaseNoInfrastructureEncryption.expected

@@ -0,0 +1,3 @@
+| app.bicep:4:1:14:1 | DatabaseResource[postgresql] | Database 'vulnerable-postgresql-no-encryption' does not have infrastructure encryption enabled, which may expose data at the infrastructure level. |
+| app.bicep:17:1:27:1 | DatabaseResource[mysql] | Database 'vulnerable-mysql-disabled-encryption' does not have infrastructure encryption enabled, which may expose data at the infrastructure level. |
+| app.bicep:30:1:40:1 | DatabaseResource[mariadb] | Database 'vulnerable-mariadb-no-encryption' does not have infrastructure encryption enabled, which may expose data at the infrastructure level. |

ql/test/queries-tests/security/CWE-311/DatabaseNoInfrastructureEncryption/DatabaseNoInfrastructureEncryption.qlref

@@ -0,0 +1 @@
+security/CWE-311/DatabaseNoInfrastructureEncryption.ql

ql/test/queries-tests/security/CWE-311/DatabaseNoInfrastructureEncryption/app.bicep

@@ -0,0 +1,69 @@
+// Test cases for database infrastructure encryption detection
+
+// TEST CASE: Vulnerable - PostgreSQL without infrastructure encryption (missing property)
+resource vulnerablePostgreSQL_NoEncryption 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: 'vulnerable-postgresql-no-encryption'
+  location: 'eastus'
+  properties: {
+    // infrastructureEncryption not specified - should be detected
+    administratorLogin: 'pgadmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+    minimalTlsVersion: '1.2'
+  }
+}
+
+// TEST CASE: Vulnerable - MySQL with infrastructure encryption explicitly disabled
+resource vulnerableMySQL_DisabledEncryption 'Microsoft.DBforMySQL/servers@2017-12-01' = {
+  name: 'vulnerable-mysql-disabled-encryption'
+  location: 'eastus'
+  properties: {
+    infrastructureEncryption: 'Disabled'  // Should be detected
+    administratorLogin: 'mysqladmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+    minimalTlsVersion: '1.2'
+  }
+}
+
+// TEST CASE: Vulnerable - MariaDB without infrastructure encryption
+resource vulnerableMariaDB_NoEncryption 'Microsoft.DBforMariaDB/servers@2018-06-01' = {
+  name: 'vulnerable-mariadb-no-encryption'
+  location: 'eastus'
+  properties: {
+    // infrastructureEncryption not specified - should be detected
+    administratorLogin: 'mariaadmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+    minimalTlsVersion: '1.2'
+  }
+}
+
+// TEST CASE: Secure - PostgreSQL with infrastructure encryption enabled
+resource securePostgreSQL_WithEncryption 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: 'secure-postgresql-with-encryption'
+  location: 'eastus'
+  properties: {
+    infrastructureEncryption: 'Enabled'  // Should NOT be detected
+    administratorLogin: 'pgadmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+    minimalTlsVersion: '1.2'
+  }
+}
+
+// TEST CASE: Secure - MySQL with infrastructure encryption enabled
+resource secureMySQL_WithEncryption 'Microsoft.DBforMySQL/servers@2017-12-01' = {
+  name: 'secure-mysql-with-encryption'
+  location: 'eastus'
+  properties: {
+    infrastructureEncryption: 'Enabled'  // Should NOT be detected
+    administratorLogin: 'mysqladmin'
+    administratorLoginPassword: 'Password123!'
+    sslEnforcement: 'Enabled'
+    minimalTlsVersion: '1.2'
+  }
+}
+
+// TEST CASE: Note - SQL Server and CosmosDB typically don't have infrastructureEncryption property
+// so they should not be detected by this query

ql/test/queries-tests/security/CWE-319/DatabaseSslNotEnforced/DatabaseSslNotEnforced.expected

@@ -0,0 +1,3 @@
+| app.bicep:8:21:8:30 | String | Database 'vulnerable-postgresql-no-ssl' has SSL enforcement disabled, allowing unencrypted connections that may expose data in transit. |
+| app.bicep:19:21:19:30 | String | Database 'vulnerable-mysql-no-ssl' has SSL enforcement disabled, allowing unencrypted connections that may expose data in transit. |
+| app.bicep:30:21:30:30 | String | Database 'vulnerable-mariadb-no-ssl' has SSL enforcement disabled, allowing unencrypted connections that may expose data in transit. |

ql/test/queries-tests/security/CWE-319/DatabaseSslNotEnforced/DatabaseSslNotEnforced.qlref

@@ -0,0 +1 @@
+security/CWE-319/DatabaseSslNotEnforced.ql

ql/test/queries-tests/security/CWE-319/DatabaseSslNotEnforced/app.bicep

@@ -0,0 +1,72 @@
+// Test cases for database SSL enforcement detection
+
+// TEST CASE: Vulnerable - PostgreSQL with SSL enforcement disabled
+resource vulnerablePostgreSQL_NoSSL 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: 'vulnerable-postgresql-no-ssl'
+  location: 'eastus'
+  properties: {
+    sslEnforcement: 'Disabled'  // Should be detected
+    administratorLogin: 'pgadmin'
+    administratorLoginPassword: 'Password123!'
+  }
+}
+
+// TEST CASE: Vulnerable - MySQL with SSL enforcement disabled
+resource vulnerableMySQL_NoSSL 'Microsoft.DBforMySQL/servers@2017-12-01' = {
+  name: 'vulnerable-mysql-no-ssl'
+  location: 'eastus'
+  properties: {
+    sslEnforcement: 'Disabled'  // Should be detected
+    administratorLogin: 'mysqladmin'
+    administratorLoginPassword: 'Password123!'
+  }
+}
+
+// TEST CASE: Vulnerable - MariaDB with SSL enforcement disabled
+resource vulnerableMariaDB_NoSSL 'Microsoft.DBforMariaDB/servers@2018-06-01' = {
+  name: 'vulnerable-mariadb-no-ssl'
+  location: 'eastus'
+  properties: {
+    sslEnforcement: 'Disabled'  // Should be detected
+    administratorLogin: 'mariaadmin'
+    administratorLoginPassword: 'Password123!'
+  }
+}
+
+// TEST CASE: Secure - PostgreSQL with SSL enforcement enabled
+resource securePostgreSQL_WithSSL 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: 'secure-postgresql-with-ssl'
+  location: 'eastus'
+  properties: {
+    sslEnforcement: 'Enabled'   // Should NOT be detected
+    minimalTlsVersion: '1.2'
+    administratorLogin: 'pgadmin'
+    administratorLoginPassword: 'Password123!'
+  }
+}
+
+// TEST CASE: Secure - MySQL with SSL enforcement enabled
+resource secureMySQL_WithSSL 'Microsoft.DBforMySQL/servers@2017-12-01' = {
+  name: 'secure-mysql-with-ssl'
+  location: 'eastus'
+  properties: {
+    sslEnforcement: 'Enabled'   // Should NOT be detected
+    minimalTlsVersion: 'TLS1_2'
+    administratorLogin: 'mysqladmin'
+    administratorLoginPassword: 'Password123!'
+  }
+}
+
+// TEST CASE: Secure - Database without explicit SSL enforcement (uses defaults)
+resource defaultSSLDatabase 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: 'default-ssl-database'
+  location: 'eastus'
+  properties: {
+    // sslEnforcement not specified - should NOT be detected (depends on default)
+    administratorLogin: 'pgadmin'
+    administratorLoginPassword: 'Password123!'
+  }
+}
+
+// TEST CASE: Note - SQL Server typically doesn't have sslEnforcement property
+// CosmosDB also doesn't have this property, so they won't be detected

ql/test/queries-tests/security/CWE-327/DatabaseWeakTlsVersion/DatabaseWeakTlsVersion.expected

@@ -0,0 +1,4 @@
+| app.bicep:8:24:8:28 | String | Database 'vulnerable-postgresql-tls10' is configured with weak TLS version '1.0'. Use TLS 1.2 or higher. |
+| app.bicep:20:24:20:31 | String | Database 'vulnerable-mysql-tls11' is configured with weak TLS version 'TLS1_1'. Use TLS 1.2 or higher. |
+| app.bicep:32:24:32:28 | String | Database 'vulnerable-sql-tls10' is configured with weak TLS version '1.0'. Use TLS 1.2 or higher. |
+| app.bicep:43:24:43:32 | String | Database 'vulnerable-mariadb-tls11' is configured with weak TLS version 'TLS_1.1'. Use TLS 1.2 or higher. |