fix(queries): fixed results on queries that had unhandled %s

assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego

@@ -8,56 +8,47 @@ CxPolicy[result] {
 
 	value.type == "Microsoft.Web/sites"
 
-	not common_lib.valid_key(value, "identity")
+	res := get_res(value, path)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": value.type,
 		"resourceName": value.name,
-		"searchKey": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined",
-		"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined",
-		"searchLine": common_lib.build_search_line(path, ["name"]),
+		"searchKey": res.sk,
+		"issueType": res.it,
+		"keyExpectedValue": res.kev,
+		"keyActualValue": res.kav,
+		"searchLine": res.sl,
 	}
 }
 
-CxPolicy[result] {
-	doc := input.document[i]
-	[path, value] = walk(doc)
-
-	value.type == "Microsoft.Web/sites"
+get_res(value, path) = res {
+	not common_lib.valid_key(value, "identity")
+	res := {
+		"sk": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]),
+		"it": "MissingAttribute",
+		"kev": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined",
+		"kav": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined",
+		"sl": common_lib.build_search_line(path, ["name"])
+	}
+} else = res {
 	not common_lib.valid_key(value.identity, "type")
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": value.type,
-		"resourceName": value.name,
-		"searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
-		"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
-		"searchLine": common_lib.build_search_line(path, ["identity"]),
+	res := {
+		"sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
+		"it": "MissingAttribute",
+		"kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
+		"kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined",
+		"sl": common_lib.build_search_line(path, ["identity"])
 	}
-}
-
-CxPolicy[result] {
-	doc := input.document[i]
-	[path, value] = walk(doc)
-
-	value.type == "Microsoft.Web/sites"
+} else = res {
 	common_lib.valid_key(value.identity, "type")
 	not is_valid_identity(value.identity)
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": value.type,
-		"resourceName": value.name,
-		"searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to %s",
-		"keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to %s",
-		"searchLine": common_lib.build_search_line(path, ["identity"]),
+	res := {
+		"sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]),
+		"it": "IncorrectValue",
+		"kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'",
+		"kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'",
+		"sl": common_lib.build_search_line(path, ["identity"])
 	}
 }
 

assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep

@@ -0,0 +1,12 @@
+resource webSitePositive7 'Microsoft.Web/sites@2020-12-01' = {
+  name: 'webSitePositive7'
+  location: 'location1'
+  tags: {}
+  identity: {
+    type: 'UserAssigned'
+  }
+  properties: {
+    enabled: true
+    httpsOnly: true
+  }
+}

assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.39.26.7824",
+      "templateHash": "623030832249271008"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2020-12-01",
+      "name": "webSitePositive7",
+      "location": "location1",
+      "tags": {},
+      "identity": {
+        "type": "UserAssigned"
+      },
+      "properties": {
+        "enabled": true,
+        "httpsOnly": true
+      }
+    }
+  ]
+}

assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json

@@ -35,6 +35,12 @@
     "line": 17,
     "fileName": "positive6.json"
   },
+  {
+    "queryName": "Website Azure Active Directory Disabled",
+    "severity": "LOW",
+    "line": 18,
+    "fileName": "positive7.json"
+  },
   {
     "queryName": "Website Azure Active Directory Disabled",
     "severity": "LOW",
@@ -70,5 +76,11 @@
     "severity": "LOW",
     "line": 5,
     "fileName": "positive6.bicep"
+  },
+  {
+    "queryName": "Website Azure Active Directory Disabled",
+    "severity": "LOW",
+    "line": 5,
+    "fileName": "positive7.bicep"
   }
 ]

assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego

@@ -10,58 +10,45 @@ CxPolicy[result] {
 	resource.Type == "AWS::ApiGateway::RestApi"
 	properties := resource.Properties
 
-	properties.MinimumCompressionSize < 0
+	res := get_res(properties, name, path)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
-		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0",
-		"searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
+		"searchKey": res.sk,
+		"issueType": res.it,
+		"keyExpectedValue": res.kev,
+		"keyActualValue": res.kav,
+		"searchLine": res.sl,
 	}
 }
 
-CxPolicy[result] {
-	docs := input.document[i]
-	[path, Resources] := walk(docs)
-	resource := Resources[name]
-	resource.Type == "AWS::ApiGateway::RestApi"
-	properties := resource.Properties
-
+get_res(properties, name, path) = res {
+	properties.MinimumCompressionSize < 0
+	res := {
+		"sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
+		"it": "IncorrectValue",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", [name]),
+		"sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
+	}
+} else = res {
 	properties.MinimumCompressionSize > 10485759
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
-		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759",
-		"searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
+	res := {
+		"sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]),
+		"it": "IncorrectValue",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", [name]),
+		"sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]),
 	}
-}
-
-CxPolicy[result] {
-	docs := input.document[i]
-	[path, Resources] := walk(docs)
-	resource := Resources[name]
-	resource.Type == "AWS::ApiGateway::RestApi"
-	properties := resource.Properties
-
+} else = res {
 	not common_lib.valid_key(properties, "MinimumCompressionSize")
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]),
-		"keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]),
-		"searchLine": common_lib.build_search_line(path, [name, "Properties"]),
+	res := {
+		"sk": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]),
+		"it": "MissingAttribute",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]),
+		"sl": common_lib.build_search_line(path, [name, "Properties"]),
 	}
-}
+}

assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego

@@ -9,43 +9,42 @@ CxPolicy[result] {
 	resource.Type == "AWS::Serverless::Api"
 	properties := resource.Properties
 
-	unrecommended_minimum_compression_size(properties.MinimumCompressionSize)
+	res := get_res(properties, name)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760",
-		"keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759",
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []),
+		"searchKey": res.sk,
+		"issueType": res.it,
+		"keyExpectedValue": res.kev,
+		"keyActualValue": res.kav,
+		"searchLine": res.sl,
 	}
 }
 
-CxPolicy[result] {
-	document := input.document
-	resource = document[i].Resources[name]
-	resource.Type == "AWS::Serverless::Api"
-	properties := resource.Properties
-
+get_res(properties, name) = res {
+	unrecommended_minimum_compression_size(properties.MinimumCompressionSize)
+	res := {
+		"sk": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]),
+		"it": "IncorrectValue",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", [name]),
+		"sl": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []),
+	}
+} else = res {
 	not common_lib.valid_key(properties, "MinimumCompressionSize")
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties", [name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]),
-		"keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]),
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []),
+	res := {
+		"sk": sprintf("Resources.%s.Properties", [name]),
+		"it": "MissingAttribute",
+		"kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]),
+		"kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]),
+		"sl": common_lib.build_search_line(["Resources", name, "Properties"], []),
 	}
 }
 
-
 unrecommended_minimum_compression_size(value) {
 	value < 0
 } else {
 	value > 10485759
-}
+}

assets/queries/terraform/alicloud/alb_listening_on_http/query.rego

@@ -13,8 +13,8 @@ CxPolicy[result] {
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("alicloud_alb_listener[%s].listener_protocol", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'",
-		"keyActualValue": "'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'",
+		"keyExpectedValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'", [name]),
+		"keyActualValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "alicloud_alb_listener", name, "listener_protocol"], []),
 		"remediation": json.marshal({
 			"before": "HTTP",

assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego

@@ -90,7 +90,7 @@ CxPolicy[result] {
 		"searchKey": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level", [name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level should not be set to OFF", [name]),
-		"keyActualValue": "aws_apigatewayv2_stage[%s].default_route_settings.logging_level is set to OFF",
+		"keyActualValue": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level is set to OFF", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "aws_apigatewayv2_stage", name], ["default_route_settings", "logging_level"]),
 	}
 }
@@ -224,7 +224,7 @@ CxPolicy[result] {
 		"searchKey": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level", [settingsId]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level should not be set to OFF", [settingsId]),
-		"keyActualValue": "aws_api_gateway_method_settings[%s].settings.logging_level is set to OFF",
+		"keyActualValue": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level is set to OFF", [settingsId]),
 		"searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_method_settings", settingsId], ["settings", "logging_level"]),
 	}
 }