[BUG] Built in rule TA-000001 false-positive on site config object

[tonybaloney]

Describe the bug

The builtin rule TA-000001 has the following rule:

"anyOf": [
        {
          "resourceType": "Microsoft.Web/sites/config",
          "allOf": [
            {
              "path": "properties.detailedErrorLoggingEnabled",
              "equals": true
            },
            {
              "path": "properties.httpLoggingEnabled",
              "equals": true
            },
            {
              "path": "properties.requestTracingEnabled",
              "equals": true
            }
          ]
        },

But, whilst those are the property names for properties.siteConfig in the Web/Sites app, they are not for the Microsoft.Web/sites/config resource.

This is a valid site config, but the rule is still triggering on this template--

resource configLogs 'Microsoft.Web/sites/config@2022-03-01' = {
  name: 'logs'
  parent: appService
  properties: {
    applicationLogs: { fileSystem: { level: 'Verbose' } }
    detailedErrorMessages: { enabled: true }
    failedRequestsTracing: { enabled: true }
    httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
  }
  dependsOn: [configAppSettings]
}

This means the rule will always trigger on a Web/sites/config object, because properties.detailedErrorLoggingEnabled doesn't exist.

[EfratMalkaMS]

Hi @tonybaloney,

Thank you for reaching out with this issue.
We are going to triage it and update back on this thread.

Thanks,
MSDO team

[JohnathonMohr]

Hey @tonybaloney, it looks like the gap here is between the type of site config (controlled by the name property). The properties in the rule are correct for a Web config (where name is "web") and probably others, but the schema is different for the Logs config (where name is "logs").

As @EfratMalkaMS mentioned, we still need to triage this, but I wanted to give a quick update on initial investigation.

[EfratMalkaMS]

Hi @tonybaloney,

We're still investigating the issue, is this a blocking issue?

Thakns,
Efrat

[tonybaloney]

@EfratMalkaMS yes I have this false-positive on 23 separate projects.

[EfratMalkaMS]

Hi @tonybaloney ,

We're still working on triaging the issue and wanted to check if you could possibly mitigate the issue by suppressing the specific finding in question that would be great.

Thanks,
Efrat