Error publishing rules when they contain an NSG

[andywills133]

When I add an NSG to my bicep deployment it causes an error when publishing the xml output:

##[warning]Failed to read D:\a\1\s\results\psrule-report.xml. Error : 'any' is an unexpected token. Expecting white space. Line 1, position 4074..

looking at the xml it appears to be this section causing the issue:

"Network security groups (NSGs) should avoid rules that allow "any" as an inbound source."

assert is working fine its just publishing the output where I have an issue

In my environment I have to supply NSGs with a deny all inbound and outbound rule which the product teams will then populate with white list rules. The NSG parameters are being supplied by a parameter file:

    "networkSecurityGroups": {
      "value": [
        {
          "location": "uksouth",
          "rules": [
            {
              "name": "DenyAllInbound",
              "properties": {
                "protocol": "TCP",
                "sourcePortRange": "*",
                "destinationPortRange": "*",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "*",
                "access": "Deny",
                "priority": 4096,
                "direction": "Inbound",
                "sourcePortRanges": [],
                "destinationPortRanges": [],
                "sourceAddressPrefixes": [],
                "destinationAddressPrefixes": []
              }
            },
            {
              "name": "DenyAllOutbound",
              "properties": {
                "protocol": "*",
                "sourcePortRange": "*",
                "destinationPortRange": "*",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "*",
                "access": "Deny",
                "priority": 4096,
                "direction": "Outbound",
                "sourcePortRanges": [],
                "destinationPortRanges": [],
                "sourceAddressPrefixes": [],
                "destinationAddressPrefixes": []
              }
            }
          ]
        }
      ]
    }

Am I doing something in my deployment to cause this issue? Any help in working through this so I can publish would be really appreciated.

[BernieWhite]

@andywills133 There seems to be a few separate issues occurring.

1. The results/psrule-report.xml is being scanned and failing to parse. The parsing part may be a bug which requires further investigation. However we can easily exclude the file since there is typically no requirement to scan this file. Do this by adding the reports/ path to .gitignore or setting the Input.PathIgnore option.
2. The Azure.NSG.AnyInboundSource rule is failing.

To address Azure.NSG.AnyInboundSource, check if there is any inbound rules with a lower priority that are Allow and specify the sourceAddressPrefix of *. If there are ideally avoid these type of rules because they implicitly allow traffic from the internet which could be a security issue. If access from the internet is intended use Internet. If both internet and virtual network are intended create two rules so that you are clearly communicating the intent of each rule.

If you does not have any inbound rules with allow and a sourceAddressPrefix of * there may be a bug. If you are able to log a bug over here with any additional bicep code that would be helpful to work on a fix for the issue.

If the rule is failing but to do not want to fix the issue for some reason you can suppress the issue by following these steps. https://azure.github.io/PSRule.Rules.Azure/creating-your-pipeline/#ignoring-rules

---

I hope that helps.

[andywills133]

Thank you for the reply. I tried the ignore and suppression route but the error is still occurring in the publish task

`Task : Publish Test Results
Description : Publish test results to Azure Pipelines
Version : 2.210.0
Author : Microsoft Corporation
Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/test/publish-test-results

"C:\Program Files\dotnet\dotnet.exe" --version
6.0.402
D:\a_tasks\PublishTestResults_0b0f01ed-7dde-43ff-9cbb-e48954daf9b1\2.210.0\modules\TestResultsPublisher.exe @d:\a_temp\8b25a120-4d8d-11ed-9d97-39614f202e6d.txt
##[warning]Failed to read D:\a\1\s\results\psrule-report.xml. Error : 'any' is an unexpected token. Expecting white space. Line 1, position 4082..
No build level attachments to publish.
Result Attachments will be stored in LogStore
Run Attachments will be stored in LogStore
`

If I edit the xml and replace the double quotes with single round the any this makes the xml valid and am able to publish. I have raised a bug and uploaded an example of the invalid xml.

Thanks again for your assistance.

[BernieWhite]

@andywills133 Thanks for logging the issue. Just to clarify, did you ignore configuration in ps-rule.yaml look like this:

input:
  pathIgnore:
  - 'reports/'

[andywills133]

Hi, this is the what the section looks like: input: pathIgnore: # Ignore other files in the repository. - 'reports/'

…

On Tue, Oct 18, 2022 at 3:52 PM Bernie White ***@***.***> wrote: @andywills133 <https://github.com/andywills133> Thanks for logging the issue. Just to clarify, did you ignore configuration in ps-rule.yaml look like this: input: pathIgnore: - 'reports/' — Reply to this email directly, view it on GitHub <#1313 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUQDFKFSDAMHETVHG3OOWSDWD22UVANCNFSM6AAAAAARFB2ZDI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[andywills133]

Morning. Thank you for the assistance so far. I have tested using 2.5.2:

Using PSRule v2.5.2
Using PSRule.Rules.Azure v1.20.2

and now receive a different error when attempting to publish:

##[warning]Failed to read D:\a\1\s\results\psrule-report.xml. Error : There is no Unicode byte order mark. Cannot switch to Unicode..

[BernieWhite]

@andywills133 Thanks for the feedback. We've fixed this warning in PSRule v2.5.3. Let us know if you have any further feedback.

[andywills133]

Thank you. I can confirm this is now working without error. Thanks again.

[BernieWhite]

This was a bug fixed in PSRule v2.5.3.