fix issue in test

cx-antero-silva · cx-antero-silva · commit a640201af840 · 2026-04-01T11:00:16.000+01:00
diff --git a/assets/queries/k8s/ingress_whitelist_open_to_all/query.rego b/assets/queries/k8s/ingress_whitelist_open_to_all/query.rego
@@ -13,7 +13,7 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": document.kind,
 		"resourceName": metadata.name,
-		"searchKey": sprintf("metadata.name={{%s}}.metadata.annotations.nginx.ingress.kubernetes.io/whitelist-source-range", [metadata.name]),
+		"searchKey": sprintf("metadata.name={{%s}}.annotations", [metadata.name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("Ingress '%s' whitelist-source-range should restrict access to specific IP ranges", [metadata.name]),
 		"keyActualValue": sprintf("Ingress '%s' whitelist-source-range is set to '%s', allowing access from all IP addresses", [metadata.name, whitelist]),
diff --git a/assets/queries/k8s/ingress_whitelist_open_to_all/test/positive_expected_result.json b/assets/queries/k8s/ingress_whitelist_open_to_all/test/positive_expected_result.json
@@ -2,16 +2,16 @@
   {
     "queryName": "Ingress Whitelist Open To All IPs",
     "severity": "HIGH",
-    "line": 6
+    "line": 5
   },
   {
     "queryName": "Ingress Whitelist Open To All IPs",
     "severity": "HIGH",
-    "line": 25
+    "line": 24
   },
   {
     "queryName": "Ingress Whitelist Open To All IPs",
     "severity": "HIGH",
-    "line": 44
+    "line": 43
   }
 ]
diff --git a/assets/queries/k8s/network_policy_ingress_not_restricted/query.rego b/assets/queries/k8s/network_policy_ingress_not_restricted/query.rego
@@ -18,7 +18,7 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": document.kind,
 		"resourceName": metadata.name,
-		"searchKey": sprintf("metadata.name={{%s}}.spec.ingress[%d]", [metadata.name, j]),
+		"searchKey": sprintf("metadata.name={{%s}}.spec.ingress", [metadata.name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("NetworkPolicy '%s' ingress rule [%d] should define a 'from' block to restrict source IPs", [metadata.name, j]),
 		"keyActualValue": sprintf("NetworkPolicy '%s' ingress rule [%d] has no 'from' block, allowing traffic from all sources", [metadata.name, j]),
diff --git a/assets/queries/k8s/network_policy_ingress_not_restricted/test/positive_expected_result.json b/assets/queries/k8s/network_policy_ingress_not_restricted/test/positive_expected_result.json
@@ -2,11 +2,11 @@
   {
     "queryName": "Network Policy Ingress Not Restricted",
     "severity": "HIGH",
-    "line": 12
+    "line": 11
   },
   {
     "queryName": "Network Policy Ingress Not Restricted",
     "severity": "HIGH",
-    "line": 23
+    "line": 22
   }
 ]
diff --git a/e2e/tmp-kics-ar/194604684.tf b/e2e/tmp-kics-ar/194604684.tf
@@ -0,0 +1,20 @@
+resource "alicloud_ram_account_password_policy" "corporate1" {
+  require_lowercase_characters = false
+  require_uppercase_characters = false
+  require_numbers              = false
+  require_symbols              = false
+  hard_expiry                  = true
+  password_reuse_prevention    = 5
+  max_login_attempts           = 3
+}
+
+resource "alicloud_ram_account_password_policy" "corporate2" {
+  minimum_password_length = 14
+  require_lowercase_characters = false
+  require_uppercase_characters = false
+  require_numbers              = false
+  require_symbols              = false
+  hard_expiry                  = true
+  password_reuse_prevention    = 5
+  max_login_attempts           = 3
+}
diff --git a/e2e/tmp-kics-ar/985110139.tf b/e2e/tmp-kics-ar/985110139.tf
@@ -0,0 +1,20 @@
+resource "alicloud_ram_account_password_policy" "corporate1" {
+  require_lowercase_characters = false
+  require_uppercase_characters = false
+  require_numbers              = false
+  require_symbols              = false
+  hard_expiry                  = true
+  password_reuse_prevention    = 5
+  max_login_attempts           = 3
+}
+
+resource "alicloud_ram_account_password_policy" "corporate2" {
+  minimum_password_length = 14
+  require_lowercase_characters = false
+  require_uppercase_characters = false
+  require_numbers              = false
+  require_symbols              = false
+  hard_expiry                  = true
+  password_reuse_prevention    = 5
+  max_login_attempts           = 3
+}
diff --git a/e2e/tmp-kics-ar/results-remediate-all.json b/e2e/tmp-kics-ar/results-remediate-all.json
@@ -0,0 +1,160 @@
+{
+	"kics_version": "development",
+	"files_scanned": 1,
+	"lines_scanned": 0,
+	"files_parsed": 1,
+	"lines_parsed": 0,
+	"lines_ignored": 0,
+	"files_failed_to_scan": 0,
+	"queries_total": 3,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"CRITICAL": 0,
+		"HIGH": 1,
+		"INFO": 0,
+		"LOW": 0,
+		"MEDIUM": 4
+	},
+	"total_counter": 5,
+	"total_bom_resources": 0,
+	"start": "0001-01-01T00:00:00Z",
+	"end": "0001-01-01T00:00:00Z",
+	"paths": [
+		"/Users/anterosilva/Documents/PM/Monthly Data Review/kics/e2e/tmp-kics-ar/194604684.tf"
+	],
+	"queries": [
+		{
+			"query_name": "Ram Account Password Policy Not Required Minimum Length",
+			"query_id": "a9dfec39-a740-4105-bbd6-721ba163c053",
+			"query_url": "",
+			"severity": "HIGH",
+			"platform": "Terraform",
+			"cloud_provider": "ALICLOUD",
+			"category": "Secret Management",
+			"experimental": false,
+			"description": "Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above",
+			"description_id": "a8b47743",
+			"cis_description_id": "testCISID",
+			"cis_description_title": "testCISTitle",
+			"cis_description_text": "testCISDescription",
+			"files": [
+				{
+					"file_name": "/Users/anterosilva/Documents/PM/Monthly Data Review/kics/e2e/tmp-kics-ar/194604684.tf",
+					"similarity_id": "f282fa13cf5e4ffd4bbb0ee2059f8d0240edcd2ca54b3bb71633145d961de5ce",
+					"line": 1,
+					"vuln_lines": null,
+					"resource_type": "alicloud_ram_account_password_policy",
+					"resource_name": "corporate1",
+					"issue_type": "MissingAttribute",
+					"search_key": "alicloud_ram_account_password_policy[corporate1]",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "'minimum_password_length' is defined and set to 14 or above ",
+					"actual_value": "'minimum_password_length' is not defined",
+					"remediation": "minimum_password_length = 14",
+					"remediation_type": "addition"
+				}
+			]
+		},
+		{
+			"query_name": "RAM Account Password Policy Not Required Symbols",
+			"query_id": "41a38329-d81b-4be4-aef4-55b2615d3282",
+			"query_url": "",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "ALICLOUD",
+			"category": "Secret Management",
+			"experimental": false,
+			"description": "RAM account password security should require at least one symbol",
+			"description_id": "f3616c34",
+			"cis_description_id": "testCISID",
+			"cis_description_title": "testCISTitle",
+			"cis_description_text": "testCISDescription",
+			"files": [
+				{
+					"file_name": "/Users/anterosilva/Documents/PM/Monthly Data Review/kics/e2e/tmp-kics-ar/194604684.tf",
+					"similarity_id": "87abbee5d0ec977ba193371c702dca2c040ea902d2e606806a63b66119ff89bc",
+					"line": 5,
+					"vuln_lines": null,
+					"resource_type": "alicloud_ram_account_password_policy",
+					"resource_name": "corporate1",
+					"issue_type": "IncorrectValue",
+					"search_key": "resource.alicloud_ram_account_password_policy[corporate1].require_symbols",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "resource.alicloud_ram_account_password_policy[corporate1].require_symbols is set to 'true'",
+					"actual_value": "resource.alicloud_ram_account_password_policy[corporate1].require_symbols is configured as 'false'",
+					"remediation": "{\"after\":\"true\",\"before\":\"false\"}",
+					"remediation_type": "replacement"
+				},
+				{
+					"file_name": "/Users/anterosilva/Documents/PM/Monthly Data Review/kics/e2e/tmp-kics-ar/194604684.tf",
+					"similarity_id": "2628457bdb548986936dbd7d8479524f2079f26d36b9faa9f34423e796fe62c8",
+					"line": 16,
+					"vuln_lines": null,
+					"resource_type": "alicloud_ram_account_password_policy",
+					"resource_name": "corporate2",
+					"issue_type": "IncorrectValue",
+					"search_key": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols is set to 'true'",
+					"actual_value": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols is configured as 'false'",
+					"remediation": "{\"after\":\"true\",\"before\":\"false\"}",
+					"remediation_type": "replacement"
+				}
+			]
+		},
+		{
+			"query_name": "Ram Account Password Policy Max Password Age Unrecommended",
+			"query_id": "2bb13841-7575-439e-8e0a-cccd9ede2fa8",
+			"query_url": "",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "ALICLOUD",
+			"category": "Secret Management",
+			"experimental": false,
+			"description": "Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91",
+			"description_id": "6056f5ca",
+			"cis_description_id": "testCISID",
+			"cis_description_title": "testCISTitle",
+			"cis_description_text": "testCISDescription",
+			"files": [
+				{
+					"file_name": "/Users/anterosilva/Documents/PM/Monthly Data Review/kics/e2e/tmp-kics-ar/194604684.tf",
+					"similarity_id": "f1d17b3513439e03cd0a25690acc44755d4e68decfaa6c03522b20a65b26b617",
+					"line": 5,
+					"vuln_lines": null,
+					"resource_type": "alicloud_ram_account_password_policy",
+					"resource_name": "corporate1",
+					"issue_type": "MissingAttribute",
+					"search_key": "alicloud_ram_account_password_policy[corporate1]",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "'max_password_age' should be higher than 0 and lower than 91",
+					"actual_value": "'max_password_age' is not defined",
+					"remediation": "max_password_age = 12",
+					"remediation_type": "addition"
+				},
+				{
+					"file_name": "/Users/anterosilva/Documents/PM/Monthly Data Review/kics/e2e/tmp-kics-ar/194604684.tf",
+					"similarity_id": "404ad93f4a485d0dd1b1621489c38be9c98dcc0b94396701ecad162e28db97fd",
+					"line": 11,
+					"vuln_lines": null,
+					"resource_type": "alicloud_ram_account_password_policy",
+					"resource_name": "corporate2",
+					"issue_type": "MissingAttribute",
+					"search_key": "alicloud_ram_account_password_policy[corporate2]",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "'max_password_age' should be higher than 0 and lower than 91",
+					"actual_value": "'max_password_age' is not defined",
+					"remediation": "max_password_age = 12",
+					"remediation_type": "addition"
+				}
+			]
+		}
+	]
+}
diff --git a/e2e/tmp-kics-ar/results-remediate-include-ids.json b/e2e/tmp-kics-ar/results-remediate-include-ids.json

Original file line number	Diff line number	Diff line change
`@@ -2,16 +2,16 @@`
`2`	`2`	`{`
`3`	`3`	`"queryName": "Ingress Whitelist Open To All IPs",`
`4`	`4`	`"severity": "HIGH",`
`5`		`- "line": 6`
	`5`	`+ "line": 5`
`6`	`6`	`},`
`7`	`7`	`{`
`8`	`8`	`"queryName": "Ingress Whitelist Open To All IPs",`
`9`	`9`	`"severity": "HIGH",`
`10`		`- "line": 25`
	`10`	`+ "line": 24`
`11`	`11`	`},`
`12`	`12`	`{`
`13`	`13`	`"queryName": "Ingress Whitelist Open To All IPs",`
`14`	`14`	`"severity": "HIGH",`
`15`		`- "line": 44`
	`15`	`+ "line": 43`
`16`	`16`	`}`
`17`	`17`	`]`
Original file line number	Diff line number	Diff line change
`@@ -2,11 +2,11 @@`
`2`	`2`	`{`
`3`	`3`	`"queryName": "Network Policy Ingress Not Restricted",`
`4`	`4`	`"severity": "HIGH",`
`5`		`- "line": 12`
	`5`	`+ "line": 11`
`6`	`6`	`},`
`7`	`7`	`{`
`8`	`8`	`"queryName": "Network Policy Ingress Not Restricted",`
`9`	`9`	`"severity": "HIGH",`
`10`		`- "line": 23`
	`10`	`+ "line": 22`
`11`	`11`	`}`
`12`	`12`	`]`