--- policy: /ce/ca/aws/ec2/security-group-allows-unrestricted-smtp-traffic logic: /ce/ca/aws/ec2/security-group-allows-unrestricted-smtp-traffic/prod.logic.yaml executionTime: 2026-02-10T22:32:46.463163356Z generationMs: 65 executionMs: 1301 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) actual: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) runtimeError: {} - id: test3 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) actual: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) runtimeError: {} - id: test5 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 200 actual: 200 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test6 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 200 actual: 200 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test7 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 200 actual: 200 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test8 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 200 actual: 200 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/ec2/security-group-allows-unrestricted-smtp-traffic/policy.yaml md5Hash: FF72E67FC0A928A37298304D1212E75F content: "---\nnames:\n full: AWS EC2 Security Group allows unrestricted SMTP\ \ traffic\n contextual: Security Group allows unrestricted SMTP traffic\ndescription:\ \ >\n Ensure that AWS EC2 Security Groups are configured to restrict inbound\ \ SMTP \n traffic (port 25) to trusted IP addresses.\ntype: COMPLIANCE_POLICY\n\ categories:\n - SECURITY\nframeworkMappings:\n - \"/frameworks/cloudaware/resource-security/threat-protection\"\ \n - \"/frameworks/aws-fsbp-v1.0.0/ec2/19\"\nsimilarPolicies:\n internal:\n\ \ - dec-x-11c3009f\n cloudConformity:\n - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-smtp-access.html\n\ \ name: Unrestricted SMTP Access\n" - path: /ce/ca/aws/ec2/security-group-allows-unrestricted-smtp-traffic/prod.logic.yaml md5Hash: 371DFC75FF9DAF9D788E895B243E66C1 content: "---\ninputType: \"CA10__CaAwsSecurityGroup__c\"\ntestData:\n - file:\ \ \"test-data.json\"\nconditions:\n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"This security group allows SMTP (port 25) access from 0.0.0.0/0 or ::/0.\"\ \n remediationMessage: \"Change the security group source to a range other\ \ than 0.0.0.0/0 or delete the offending inbound rule.\"\n check:\n \ \ RELATED_LIST_HAS:\n status: \"INCOMPLIANT\"\n relationshipName:\ \ \"CA10__AWS_EC2_Security_Group_Rules__r\"\notherwise:\n status: \"COMPLIANT\"\ \n currentStateMessage: \"This security group does not allow unrestricted SMTP\ \ access.\"\nrelatedLists: \n - relationshipName: \"CA10__AWS_EC2_Security_Group_Rules__r\"\ \n importExtracts:\n - file: \"/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml\"\ \n conditions:\n - status: \"INAPPLICABLE\"\n currentStateMessage:\ \ \"This is an outbound security group rule.\"\n check:\n NOT_EQUAL:\n\ \ left:\n EXTRACT: \"CA10__direction__c\"\n \ \ right:\n TEXT: \"Inbound\"\n - status: \"INAPPLICABLE\"\ \n currentStateMessage: \"This security group rule does not allow unrestricted\ \ access.\"\n check:\n AND:\n args:\n \ \ - NOT_EQUAL:\n left:\n EXTRACT: \"CA10__sourceIpRange__c\"\ \n right:\n TEXT: \"0.0.0.0/0\"\n \ \ - NOT_EQUAL:\n left:\n EXTRACT:\ \ \"CA10__sourceIpRange__c\"\n right:\n \ \ TEXT: \"::/0\"\n - status: \"INAPPLICABLE\"\n currentStateMessage:\ \ \"This security group rule protocol is not All or TCP.\"\n check:\n\ # check that protocol is neither all or tcp\n NOT:\n arg:\n\ \ OR:\n args:\n - IS_EQUAL:\n \ \ left:\n EXTRACT: \"CA10__protocol__c\"\ \n right:\n TEXT: \"All\"\n \ \ - IS_EQUAL:\n left:\n \ \ EXTRACT: \"CA10__protocol__c\"\n right:\n \ \ TEXT: \"tcp\"\n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"This security group allows SMTP access from 0.0.0.0/0 or ::/0.\"\n \ \ remediationMessage: \"Change the source field to a range other\\\n \ \ \\ than 0.0.0.0/0 or delete the offending inbound rule.\"\n check:\n\ \ AND:\n args:\n - LESS_THAN_EQUAL:\n \ \ left:\n EXTRACT: \"CA10__fromPort__c\"\n \ \ right:\n NUMBER: 25.0\n - GREATER_THAN_EQUAL:\n\ \ left:\n EXTRACT: \"CA10__toPort__c\"\n\ \ right:\n NUMBER: 25.0\n otherwise:\n\ \ status: \"COMPLIANT\"\n currentStateMessage: \"This security group\ \ does not allow unrestricted access.\"\n\n" - path: /ce/ca/aws/ec2/security-group-allows-unrestricted-smtp-traffic/test-data.json md5Hash: D6E3F9146639CAC6100D4D2159069B30 content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T02:23:36Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2024-05-27T17:37:28Z", "CA10__AWS_EC2_Security_Group_Rules__r": [] }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T02:23:36Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__AWS_EC2_Security_Group_Rules__r": [ { "Id": "test2_1", "CA10__disappearanceTime__c": null, "CA10__direction__c": "Inbound", "CA10__sourceIpRange__c": "::/0", "CA10__protocol__c": "All", "CA10__fromPort__c": 25, "CA10__toPort__c": 25, "CA10__securityGroup__c": "test2" } ] }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T02:23:36Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "CA10__AWS_EC2_Security_Group_Rules__r": [ { "Id": "test3_1", "CA10__disappearanceTime__c": null, "CA10__direction__c": "Inbound", "CA10__sourceIpRange__c": "::/0", "CA10__protocol__c": "tcp", "CA10__fromPort__c": 20, "CA10__toPort__c": 30, "CA10__securityGroup__c": "test3" } ] }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "200", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T02:23:36Z" }, "Id": "test5", "CA10__disappearanceTime__c": null, "CA10__AWS_EC2_Security_Group_Rules__r": [ { "Id": "test5_1", "CA10__disappearanceTime__c": null, "CA10__direction__c": "Outbound", "CA10__sourceIpRange__c": "::/0", "CA10__protocol__c": "tcp", "CA10__fromPort__c": null, "CA10__toPort__c": null, "CA10__securityGroup__c": "test5" } ] }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "200", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T02:23:36Z" }, "Id": "test6", "CA10__disappearanceTime__c": null, "CA10__AWS_EC2_Security_Group_Rules__r": [ { "Id": "test6_1", "CA10__disappearanceTime__c": null, "CA10__direction__c": "Inbound", "CA10__sourceIpRange__c": "0.0.0.0/0", "CA10__protocol__c": "tcp", "CA10__fromPort__c": null, "CA10__toPort__c": null, "CA10__securityGroup__c": "test6" } ] }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "200", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T02:23:36Z" }, "Id": "test7", "CA10__disappearanceTime__c": null, "CA10__AWS_EC2_Security_Group_Rules__r": [ { "Id": "test7_1", "CA10__disappearanceTime__c": null, "CA10__direction__c": "Inbound", "CA10__sourceIpRange__c": "0.0.0.0/0", "CA10__protocol__c": "tcp", "CA10__fromPort__c": 1111, "CA10__toPort__c": 1111, "CA10__securityGroup__c": "test7" } ] }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "200", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T02:23:36Z" }, "Id": "test8", "CA10__disappearanceTime__c": null, "CA10__AWS_EC2_Security_Group_Rules__r": [] } ] - path: /types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml md5Hash: 58DC1872D7462985D50972C65C61C237 content: "---\nextracts:\n# Values: IP, Group, PrefixList. Nullable, it can be\ \ prefix list if empty. Can't have no access, retrieved via ec2:DescribeSecurityGroups\n\ \ - name: \"CA10__source__c\"\n value: \n FIELD:\n path: \"\ CA10__source__c\"\n# Values: IPv4, IPv6. Nullable it is not the IP source if\ \ empty. Can't have no access, retrieved via ec2:DescribeSecurityGroups\n -\ \ name: \"CA10__sourceIpVersion__c\"\n value: \n FIELD:\n path:\ \ \"CA10__sourceIpVersion__c\"\n# Nullable. Can't have no access, retrieved\ \ via ec2:DescribeSecurityGroups\n - name: \"CA10__sourceIpRange__c\"\n \ \ value: \n FIELD:\n path: \"CA10__sourceIpRange__c\"\n# Values:\ \ Inbound, Outbound. Not nullable. Can't have no access, retrieved via ec2:DescribeSecurityGroups\n\ \ - name: \"CA10__direction__c\"\n value: \n FIELD:\n path:\ \ \"CA10__direction__c\"\n undeterminedIf:\n isEmpty: \"Corrupted\ \ data. Rule Action cannot be empty.\"\n# Not nullable. Can't have no access,\ \ retrieved via ec2:DescribeSecurityGroups\n - name: \"CA10__protocol__c\"\n\ \ value: \n FIELD:\n path: \"CA10__protocol__c\"\n undeterminedIf:\n\ \ isEmpty: \"Corrupted data. Protocol cannot be empty.\"\n# Nullable.\ \ Can't have no access, retrieved via ec2:DescribeSecurityGroups\n - name:\ \ \"CA10__fromPort__c\"\n value: \n FIELD:\n path: \"CA10__fromPort__c\"\ \n# Nullable. Can't have no access, retrieved via ec2:DescribeSecurityGroups\n\ \ - name: \"CA10__toPort__c\"\n value: \n FIELD:\n path: \"\ CA10__toPort__c\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "200", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "test6", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "200", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "test7", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "200", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "test8", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "200", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsSecurityGroup__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "CA10__disappearanceTime__c" : new Date("2024-05-27T17:37:28Z"), "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "Id" : "test5" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "Id" : "test6" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "Id" : "test7" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "Id" : "test8" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsSecurityGroupRule2__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "CA10__direction__c" : "Inbound", "CA10__sourceIpRange__c" : "::/0", "CA10__protocol__c" : "All", "CA10__fromPort__c" : 25, "CA10__toPort__c" : 25, "CA10__securityGroup__c" : "test2", "Id" : "test2_1" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "CA10__direction__c" : "Inbound", "CA10__sourceIpRange__c" : "::/0", "CA10__protocol__c" : "tcp", "CA10__fromPort__c" : 20, "CA10__toPort__c" : 30, "CA10__securityGroup__c" : "test3", "Id" : "test3_1" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "CA10__direction__c" : "Outbound", "CA10__sourceIpRange__c" : "::/0", "CA10__protocol__c" : "tcp", "CA10__fromPort__c" : null, "CA10__toPort__c" : null, "CA10__securityGroup__c" : "test5", "Id" : "test5_1" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "CA10__direction__c" : "Inbound", "CA10__sourceIpRange__c" : "0.0.0.0/0", "CA10__protocol__c" : "tcp", "CA10__fromPort__c" : null, "CA10__toPort__c" : null, "CA10__securityGroup__c" : "test6", "Id" : "test6_1" }, { "context" : { "snapshotTime" : new Date("2024-05-30T02:23:36Z") }, "CA10__direction__c" : "Inbound", "CA10__sourceIpRange__c" : "0.0.0.0/0", "CA10__protocol__c" : "tcp", "CA10__fromPort__c" : 1111, "CA10__toPort__c" : 1111, "CA10__securityGroup__c" : "test7", "Id" : "test7_1" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsSecurityGroup__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, Id STRING, CA10__AWS_EC2_Security_Group_Rules__r ARRAY >> >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 = 0; if (obj.CA10__AWS_EC2_Security_Group_Rules__r != null) { for (var i3 = 0; i3 < obj.CA10__AWS_EC2_Security_Group_Rules__r.length; i3++) { if (typeof(obj.CA10__AWS_EC2_Security_Group_Rules__r[i3].status) !== 'undefined') { if (obj.CA10__AWS_EC2_Security_Group_Rules__r[i3].status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 += obj.CA10__AWS_EC2_Security_Group_Rules__r[i3].count; } } else { if (obj.CA10__AWS_EC2_Security_Group_Rules__r[i3].result.status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 += 1; } } } } // condition[1], conditionIndex:[100..199] references1.push('Related list [CA10__AWS_EC2_Security_Group_Rules__r] ' + (count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status'); if (count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", currentStateMessage: "This security group allows SMTP (port 25) access from 0.0.0.0/0 or ::/0.", currentStateReferences: references1.join('\n'), remediation: "Change the security group source to a range other than 0.0.0.0/0 or delete the offending inbound rule.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "This security group does not allow unrestricted SMTP access.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__AWS_EC2_Security_Group_Rules__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__direction__c STRING, CA10__sourceIpRange__c STRING, CA10__protocol__c STRING, CA10__fromPort__c FLOAT64, CA10__toPort__c FLOAT64, CA10__securityGroup__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.CA10__direction__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__direction__c.isEmpty()", currentStateMessage: "Corrupted data. Rule Action cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__direction__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('Direction [obj.CA10__direction__c]: ' + obj.CA10__direction__c); try { if (TextLib.notEqual(extract3.call(extract3), 'Inbound')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__direction__c') != 'Inbound'", currentStateMessage: "This is an outbound security group rule.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function extract6() { if (!this.out) { this.out = obj.CA10__sourceIpRange__c; } return this.out; }; references1.push('Source IP Range [obj.CA10__sourceIpRange__c]: ' + obj.CA10__sourceIpRange__c); if (TextLib.notEqual(extract6.call(extract6), '0.0.0.0/0') && TextLib.notEqual(extract6.call(extract6), '::/0')) { return {status: 'INAPPLICABLE', conditionIndex: 299, conditionText: "extract('CA10__sourceIpRange__c') != '0.0.0.0/0' && extract('CA10__sourceIpRange__c') != '::/0'", currentStateMessage: "This security group rule does not allow unrestricted access.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[3], conditionIndex:[300..399] function fieldChecked11() { if (TextLib.isEmpty(obj.CA10__protocol__c)) { throw new Error("UNDETERMINED condition:301", {cause: {status: 'UNDETERMINED', conditionIndex: 301, conditionText: "CA10__protocol__c.isEmpty()", currentStateMessage: "Corrupted data. Protocol cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__protocol__c; } function extract10() { if (!this.out) { this.out = fieldChecked11(); } return this.out; }; references1.push('Protocol [obj.CA10__protocol__c]: ' + obj.CA10__protocol__c); try { if (!(TextLib.equal(extract10.call(extract10), 'All') || TextLib.equal(extract10.call(extract10), 'tcp'))) { return {status: 'INAPPLICABLE', conditionIndex: 399, conditionText: "not(extract('CA10__protocol__c') == 'All' || extract('CA10__protocol__c') == 'tcp')", currentStateMessage: "This security group rule protocol is not All or TCP.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[4], conditionIndex:[400..499] function extract15() { if (!this.out) { this.out = obj.CA10__fromPort__c; } return this.out; }; function extract19() { if (!this.out) { this.out = obj.CA10__toPort__c; } return this.out; }; references1.push('From Port [obj.CA10__fromPort__c]: ' + obj.CA10__fromPort__c); references1.push('To Port [obj.CA10__toPort__c]: ' + obj.CA10__toPort__c); if ((extract15.call(extract15) != null && 25.0 != null && extract15.call(extract15) <= 25.0) && (extract19.call(extract19) != null && 25.0 != null && extract19.call(extract19) >= 25.0)) { return {status: 'INCOMPLIANT', conditionIndex: 499, conditionText: "extract('CA10__fromPort__c') <= number(25.0) && extract('CA10__toPort__c') >= number(25.0)", currentStateMessage: "This security group allows SMTP access from 0.0.0.0/0 or ::/0.", currentStateReferences: references1.join('\n'), remediation: "Change the source field to a range other than 0.0.0.0/0 or delete the offending inbound rule.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 500, conditionText: "otherwise", currentStateMessage: "This security group does not allow unrestricted access.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.Id AS Id, `CA10__AWS_EC2_Security_Group_Rules__r`.arr AS CA10__AWS_EC2_Security_Group_Rules__r, process_CA10__CaAwsSecurityGroup__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.Id AS Id, `CA10__AWS_EC2_Security_Group_Rules__r`.arr AS CA10__AWS_EC2_Security_Group_Rules__r ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsSecurityGroup__c()) AS sObject LEFT JOIN ( SELECT sObject.CA10__securityGroup__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__direction__c AS CA10__direction__c, sObject.CA10__sourceIpRange__c AS CA10__sourceIpRange__c, sObject.CA10__protocol__c AS CA10__protocol__c, sObject.CA10__fromPort__c AS CA10__fromPort__c, sObject.CA10__toPort__c AS CA10__toPort__c, sObject.CA10__securityGroup__c AS CA10__securityGroup__c, sObject.Id AS Id, process_CA10__AWS_EC2_Security_Group_Rules__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__direction__c AS CA10__direction__c, sObject.CA10__sourceIpRange__c AS CA10__sourceIpRange__c, sObject.CA10__protocol__c AS CA10__protocol__c, sObject.CA10__fromPort__c AS CA10__fromPort__c, sObject.CA10__toPort__c AS CA10__toPort__c, sObject.CA10__securityGroup__c AS CA10__securityGroup__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsSecurityGroupRule2__c()) AS sObject GROUP BY sObject.CA10__securityGroup__c ) AS `CA10__AWS_EC2_Security_Group_Rules__r` ON sObject.Id = `CA10__AWS_EC2_Security_Group_Rules__r`.CA10__securityGroup__c ) sObject ON sObject.Id = expectedResult.Id;