diff --git a/roles/lib/files/FWO.Compliance/ComplianceCheck.cs b/roles/lib/files/FWO.Compliance/ComplianceCheck.cs index 8fea6d136f..a21752d27f 100644 --- a/roles/lib/files/FWO.Compliance/ComplianceCheck.cs +++ b/roles/lib/files/FWO.Compliance/ComplianceCheck.cs @@ -587,8 +587,8 @@ public static List GetRelevantManagements(GlobalConfig globalConfig, private async Task CheckMatrixCompliance(Rule rule, ComplianceCriterion criterion, List resolvedSources, List resolvedDestinations) { - Task ipRanges)>> fromsTask = GetNetworkObjectsWithIpRanges(resolvedSources); - Task ipRanges)>> tosTask = GetNetworkObjectsWithIpRanges(resolvedDestinations); + Task ipRanges)>> fromsTask = GetNetworkObjectsWithIpRanges(resolvedSources, negated: rule.SourceNegated); + Task ipRanges)>> tosTask = GetNetworkObjectsWithIpRanges(resolvedDestinations, negated: rule.DestinationNegated); await Task.WhenAll(fromsTask, tosTask); @@ -750,13 +750,21 @@ private bool CheckForForbiddenService(Rule rule, ComplianceCriterion criterion) return ruleIsCompliant; } - private static Task ipRanges)>> GetNetworkObjectsWithIpRanges(List networkObjects) + private static Task ipRanges)>> GetNetworkObjectsWithIpRanges(List networkObjects, string? fullRangeString = "0.0.0.0/0", bool negated = false) { List<(NetworkObject networkObject, List ipRanges)> networkObjectsWithIpRange = []; foreach (NetworkObject networkObject in networkObjects) { - networkObjectsWithIpRange.Add((networkObject, ParseIpRange(networkObject))); + List ranges = ParseIpRange(networkObject); + + if (negated) + { + IPAddressRange fullRange = IPAddressRange.Parse(fullRangeString); + ranges = fullRange.Subtract(ranges); + } + + networkObjectsWithIpRange.Add((networkObject, ranges)); } return Task.FromResult(networkObjectsWithIpRange);