feat: Enhance AKS and General frameworks with security profile and network profile improvements

Author: GeekMasher

ql/lib/codeql/bicep/frameworks/Microsoft/AKS.qll

@@ -80,7 +80,7 @@ module AKS {
     /**
      * Returns the security profile.
      */
-    SecurityProfile getSecurityProfile() {
+    SecurityProfiles::SecurityProfile getSecurityProfile() {
       result = this.getProperties().getSecurityProfile()
     }
 
@@ -247,7 +247,7 @@ module AKS {
       /**
        * Gets the security profile for the cluster.
        */
-      SecurityProfile getSecurityProfile() { result = this.getProperty("securityProfile") }
+      SecurityProfiles::SecurityProfile getSecurityProfile() { result = this.getProperty("securityProfile") }
 
       /**
        * Gets the service mesh profile for the cluster.
@@ -585,7 +585,7 @@ module AKS {
       /**
        * Gets the Windows profile.
        */
-      Expr getWindowsProfile() { result = this.getProperty("windowsProfile") }
+      OsProfiles::WindowsProfile getWindowsProfile() { result = this.getProperty("windowsProfile") }
 
       /**
        * Gets the power state.
@@ -979,44 +979,6 @@ module AKS {
       string toString() { result = "AzureMonitorProfile" }
     }
 
-    /**
-     * Represents the security profile for a managed AKS cluster.
-     */
-    class SecurityProfile extends Object {
-      private Properties properties;
-
-      /**
-       * Constructs a SecurityProfile object for the given properties.
-       */
-      SecurityProfile() { this = properties.getProperty("securityProfile") }
-
-      /**
-       * Gets the Azure Key Vault KMS property.
-       */
-      Expr getAzureKeyVaultKms() { result = this.getProperty("azureKeyVaultKms") }
-
-      /**
-       * Gets the defender property.
-       */
-      Expr getDefender() { result = this.getProperty("defender") }
-
-      /**
-       * Gets the image cleaner property.
-       */
-      Expr getImageCleaner() { result = this.getProperty("imageCleaner") }
-
-      /**
-       * Gets the node restriction property.
-       */
-      Expr getNodeRestriction() { result = this.getProperty("nodeRestriction") }
-
-      /**
-       * Gets the workload identity property.
-       */
-      Expr getWorkloadIdentity() { result = this.getProperty("workloadIdentity") }
-
-      string toString() { result = "SecurityProfile" }
-    }
 
     /**
      * Represents the service mesh profile for a managed AKS cluster.

ql/lib/codeql/bicep/frameworks/Microsoft/General.qll

@@ -43,7 +43,7 @@ abstract class ResourceProperties extends Object {
   /**
    * Returns a string representation of the resource properties object.
    */
-  string toString() { result = super.toString() }
+  string toString() { result = "ResourceProperties" }
 }
 
 /**

ql/lib/codeql/bicep/frameworks/Microsoft/Profiles.qll

@@ -144,9 +144,40 @@ module NetworkingProfiles {
     NetworkProfile() { this = properties.getProperty("networkProfile") }
 
     /**
-     * Returns a string representation of the network profile.
+     * Returns the network interfaces property of the network profile.
      */
-    string toString() { result = "NetworkProfile" }
+    StringLiteral getNetworkPlugin() { result = this.getProperty("networkPlugin") }
+
+    predicate hasNetworkPlugin() { exists(this.getNetworkPlugin()) }
+
+    string networkPlugin() { result = this.getNetworkPlugin().getValue() }
+
+    /**
+     * Returns the network policy for the virtual machine.
+     */
+    StringLiteral getNetworkPolicy() { result = this.getProperty("networkPolicy") }
+
+    predicate hasNetworkPolicy() { exists(this.getNetworkPolicy()) }
+
+    string networkPolicy() { result = this.getNetworkPolicy().getValue() }
+
+    StringLiteral getLoadBalancerSku() { result = this.getProperty("loadBalancerSku") }
+
+    predicate hasLoadBalancerSku() { exists(this.getLoadBalancerSku()) }
+
+    string loadBalancerSku() { result = this.getLoadBalancerSku().getValue() }
+
+    StringLiteral getOutboundType() { result = this.getProperty("outboundType") }
+
+    string outboundType() { result = this.getOutboundType().getValue() }
+
+    predicate hasOutboundType() { exists(this.getOutboundType()) }
+
+    StringLiteral getServiceCidr() { result = this.getProperty("serviceCidr") }
+
+    predicate hasServiceCidr() { exists(this.getServiceCidr()) }
+
+    string serviceCidr() { result = this.getServiceCidr().getValue() }
 
     /**
      * Returns the network interfaces for the virtual machine.
@@ -161,6 +192,11 @@ module NetworkingProfiles {
     private Object getNetworkInterfacesObject() {
       result = this.getProperty("networkInterfaces").(Array).getElements()
     }
+
+    /**
+     * Returns a string representation of the network profile.
+     */
+    string toString() { result = "NetworkProfile" }
   }
 }
 
@@ -237,3 +273,44 @@ module StorageProfiles {
     Expr getVersion() { result = this.getProperty("version") }
   }
 }
+
+module SecurityProfiles {
+  /**
+   * Represents the security profile for a managed AKS cluster.
+   */
+  class SecurityProfile extends Object {
+    private ResourceProperties properties;
+
+    /**
+     * Constructs a SecurityProfile object for the given properties.
+     */
+    SecurityProfile() { this = properties.getProperty("securityProfile") }
+
+    /**
+     * Gets the Azure Key Vault KMS property.
+     */
+    Expr getAzureKeyVaultKms() { result = this.getProperty("azureKeyVaultKms") }
+
+    /**
+     * Gets the defender property.
+     */
+    Expr getDefender() { result = this.getProperty("defender") }
+
+    /**
+     * Gets the image cleaner property.
+     */
+    Expr getImageCleaner() { result = this.getProperty("imageCleaner") }
+
+    /**
+     * Gets the node restriction property.
+     */
+    Expr getNodeRestriction() { result = this.getProperty("nodeRestriction") }
+
+    /**
+     * Gets the workload identity property.
+     */
+    Expr getWorkloadIdentity() { result = this.getProperty("workloadIdentity") }
+
+    string toString() { result = "SecurityProfile" }
+  }
+}