fix(query): fixed allowRule's on Generic Token and Generic Secret from Passwords and Secrets query

[cx-ricardo-jesus]

Closes #

Reason for Proposed Changes

• On the current implementation, in the allowRule below, the regex covers the cases when there are no parentheses at the end, it also allows the built in function getSecret not to have any argument, which is not valid according to its documentation and the usage of the characters " or ' was not mandatory which is not valid since, according to the built-in function documentation, the argument must be a string thus, it should have the characters " or ' .

{
          "description": "Allow secrets retrieved from Bicep getSecret built in function",
          "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]*)[\"']?"
}

• On the other allowRule, that was made to ignore the cases when a module output is referenced on Bicep format files, the ['"]? should be removed since the target file type does not use quotes to declare variables.

{
          "description": "Avoiding references to module outputs in Bicep",
          "regex": "(?i)['\"]?token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
}

Proposed Changes

• Changed the first allowRule from (?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]*)[\"']? to (?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\).

• Removed the ['"] from the beginning of the second allowRule, changing the allowRule from (?i)['\"]?token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*) to (?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*).

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-artur-ribeiro]

LGTM, nice that you taken a look into the documentation to improve the regex pattern.