fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>

Author: nikpivkin

pkg/iac/adapters/arm/storage/adapt.go

@@ -18,20 +18,18 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
 	var accounts []storage.Account
 	for _, resource := range deployment.GetResourcesByType("Microsoft.Storage/storageAccounts") {
 
-		var networkRules []storage.NetworkRule
-		for _, acl := range resource.Properties.GetMapValue("networkAcls").AsList() {
+		acl := resource.Properties.GetMapValue("networkAcls")
 
-			var bypasses []types.StringValue
-			bypassProp := acl.GetMapValue("bypass")
-			for _, bypass := range strings.Split(bypassProp.AsString(), ",") {
-				bypasses = append(bypasses, types.String(bypass, bypassProp.GetMetadata()))
-			}
+		var bypasses []types.StringValue
+		bypassProp := acl.GetMapValue("bypass")
+		for _, bypass := range strings.Split(bypassProp.AsString(), ",") {
+			bypasses = append(bypasses, types.String(strings.TrimSpace(bypass), bypassProp.GetMetadata()))
+		}
 
-			networkRules = append(networkRules, storage.NetworkRule{
-				Metadata:       acl.GetMetadata(),
-				Bypass:         bypasses,
-				AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()),
-			})
+		networkRule := storage.NetworkRule{
+			Metadata:       acl.GetMetadata(),
+			Bypass:         bypasses,
+			AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()),
 		}
 
 		var queues []storage.Queue
@@ -52,7 +50,7 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
 
 		account := storage.Account{
 			Metadata:     resource.Metadata,
-			NetworkRules: networkRules,
+			NetworkRules: []storage.NetworkRule{networkRule},
 			EnforceHTTPS: resource.Properties.GetMapValue("supportsHttpsTrafficOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
 			Containers:   containers,
 			QueueProperties: storage.QueueProperties{

pkg/iac/adapters/arm/storage/adapt_test.go

@@ -6,6 +6,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/aquasecurity/trivy/internal/testutil"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/storage"
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
 	"github.com/aquasecurity/trivy/pkg/iac/types"
 )
@@ -43,6 +45,10 @@ func Test_AdaptStorage(t *testing.T) {
 					"minimumTlsVersion":        azure.NewValue("TLS1_2", types.NewTestMetadata()),
 					"supportsHttpsTrafficOnly": azure.NewValue(true, types.NewTestMetadata()),
 					"publicNetworkAccess":      azure.NewValue("Disabled", types.NewTestMetadata()),
+					"networkAcls": azure.NewValue(map[string]azure.Value{
+						"bypass":        azure.NewValue("Logging, Metrics", types.NewTestMetadata()),
+						"defaultAction": azure.NewValue("Allow", types.NewTestMetadata()),
+					}, types.NewTestMetadata()),
 				}, types.NewTestMetadata()),
 			},
 		},
@@ -52,9 +58,20 @@ func Test_AdaptStorage(t *testing.T) {
 
 	require.Len(t, output.Accounts, 1)
 
-	account := output.Accounts[0]
-	assert.Equal(t, "TLS1_2", account.MinimumTLSVersion.Value())
-	assert.True(t, account.EnforceHTTPS.Value())
-	assert.False(t, account.PublicNetworkAccess.Value())
+	expected := storage.Storage{
+		Accounts: []storage.Account{{
+			MinimumTLSVersion:   types.StringTest("TLS1_2"),
+			EnforceHTTPS:        types.BoolTest(true),
+			PublicNetworkAccess: types.BoolTest(false),
+			NetworkRules: []storage.NetworkRule{{
+				Bypass: []types.StringValue{
+					types.StringTest("Logging"),
+					types.StringTest("Metrics"),
+				},
+				AllowByDefault: types.BoolTest(true),
+			}},
+		}},
+	}
 
+	testutil.AssertDefsecEqual(t, expected, output)
 }