fix(query): resolve false positive on ALB WAF integration with WAFv2

[cx-prathmesh-borle]

Closes #7405

Reason for Proposed Changes

• The KICS query 105ba098 (ALB Is Not Integrated With WAF) produces false positives on CloudFormation templates that use the newer AWS::WAFv2::WebACLAssociation resource type because the Rego logic only checks for the legacy AWS::WAFRegional::WebACLAssociation type;
• AWS now recommends using WAFv2 (the current version of AWS WAF) instead of WAF Classic (WAFRegional), but the query's associated_waf helper function was hardcoded to only recognize the legacy type;
• Additionally, the query failed to handle the !GetAtt CloudFormation intrinsic function reference pattern, which KICS resolves to a string like "MyALB.LoadBalancerArn" instead of an object like {"Fn::GetAtt": ["MyALB", "LoadBalancerArn"]};
• This caused two problems:
  • False positives on WAFv2: ALBs correctly associated with WAFv2 WebACLs were flagged as "not integrated with WAF";
  • False positives on GetAtt references: ALBs using !GetAtt MyALB.LoadBalancerArn syntax were not recognized even when using WAFRegional;

Proposed Changes

• Replaced the two hardcoded AWS::WAFRegional::WebACLAssociation rules in query.rego with a type set and four rules covering all reference patterns:
  • Type set: waf_association_types := {"AWS::WAFRegional::WebACLAssociation", "AWS::WAFv2::WebACLAssociation"} to recognize both WAF Classic and WAFv2;
  • Rule 1: Handles {"Ref": "ALBName"} pattern (JSON format with explicit Ref object);
  • Rule 2: Handles "ALBName" pattern (resolved !Ref in YAML or direct string);
  • Rule 3: Handles {"Fn::GetAtt": ["ALBName", "Attr"]} pattern (JSON format with explicit GetAtt object);
  • Rule 4: Handles "ALBName.Attr" pattern (resolved !GetAtt in YAML using startswith check);
• Added 4 new negative test files to validate all reference patterns are correctly recognized:
  • negative3.yaml - WAFv2 with !GetAtt reference (the exact pattern from the issue report);
  • negative4.json - WAFv2 with Ref in JSON format;
  • negative5.yaml - WAFv2 with !Ref (resolved to direct string);
  • negative6.json - WAFv2 with Fn::GetAtt in JSON format;
• No changes to positive tests or expected results (existing positive tests for ALBs without any WAF association still correctly produce findings);

Note

• No impact to existing scan results - the fix adds new reference pattern checks without changing any result fields;
• Cross-platform check: Terraform variant already supports WAFv2 (aws_wafv2_web_acl_association in waf_resources list); Pulumi has no variant of this query;
• Backwards compatibility maintained: existing WAFRegional associations remain detected;

I submit this contribution under the Apache-2.0 license.