update(branch): sync master to release/1.6 (#5496)

* docs(kicsbot): update images digest (#5485)

* build(deps): bump github.com/aws/aws-sdk-go from 1.44.34 to 1.44.37 (#5490)

Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.34 to 1.44.37.
- [Release notes](https://github.com/aws/aws-sdk-go/releases)
- [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md)
- [Commits](aws/aws-sdk-go@v1.44.34...v1.44.37)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(query): uncomment cloud formation's test sample (#5320)

* fix(query): uncomment cloud formation's test sample

Signed-off-by: Felipe Avelar <felipe.avelar@outlook.com>

* add suggested changes

Signed-off-by: Felipe Avelar <felipe.avelar@outlook.com>

* added branching process for major versions (#5479)

* Update sync_major_release.yaml (#5497)

* build(deps): bump github.com/aws/aws-sdk-go from 1.44.37 to 1.44.38 (#5498)

Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.37 to 1.44.38.
- [Release notes](https://github.com/aws/aws-sdk-go/releases)
- [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md)
- [Commits](aws/aws-sdk-go@v1.44.37...v1.44.38)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (#5499)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.7.2 to 1.7.4.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.7.2...v1.7.4)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs(kicsbot): update images digest (#5500)

* update(query): improved "Resource Not Using Tags" description (#5483)

* updated "Resource Not Using Tags" description

* fixing E2E test

* fix(secrets inspector): added mutex to lock addVulnerability (#5503)

* added mutex to lock addVulnerability

* increased timeout for go lint and go test race

* fixed tiller queries

* fixed 94b76ea5-e074-4ca2-8a03-c5a606e30645

* docs(queries): update queries catalog (#5501)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Felipe Avelar <felipe.avelar@outlook.com>
Co-authored-by: Rafaela Soares <rafaela.soares@checkmarx.com>

.github/workflows/go-ci-integration.yml

@@ -2,7 +2,7 @@ name: go-ci-integration
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, release/1.6]
 
 jobs:
   integration-tests:

.github/workflows/go-ci.yml

@@ -2,7 +2,7 @@ name: go-ci
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, release/1.6]
 
 jobs:
   lint:
@@ -18,7 +18,7 @@ jobs:
         uses: golangci/golangci-lint-action@v3.2.0
         with:
           version: v1.46.1
-          args: -c .golangci.yml --timeout 15m
+          args: -c .golangci.yml --timeout 20m
   go-generate:
     name: go-generate
     runs-on: ubuntu-latest

.github/workflows/go-e2e.yaml

@@ -2,7 +2,7 @@ name: go-e2e
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, release/1.6]
 
 jobs:
   e2e-tests:

.github/workflows/go-test-race.yml

@@ -41,7 +41,7 @@ jobs:
           go mod vendor
       - name: Test and Generate Report
         run: |
-          go test -race -timeout 3600s -mod=vendor -v $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
+          go test -race -timeout 9999s -mod=vendor -v $(go list ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
           result_code=${PIPESTATUS[0]}
           exit $result_code
       - name: Archive test logs

.github/workflows/kics-gh-action.yaml

@@ -2,7 +2,7 @@ name: kics-github-action
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, release/1.6]
   workflow_dispatch:
 
 jobs:

.github/workflows/sonarcloud.yml

@@ -2,8 +2,7 @@ name: static-analysis
 
 on:
   push:
-    branches:
-      - master
+    branches: [master, release/1.6]
 
 jobs:
   sonarcloud:

.github/workflows/sync_major_release.yaml

@@ -0,0 +1,27 @@
+name: sync-branches-action
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  sync-major-release-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Cancel Previous Runs
+        uses: styfle/cancel-workflow-action@0.9.1
+        with:
+          access_token: ${{ github.token }}
+      - uses: actions/checkout@v3
+      - name: Sync Pull Request
+        uses: repo-sync/pull-request@v2
+        with:
+          source_branch: "master"
+          destination_branch: "release/1.6"                
+          pr_title: "update(branch): sync master to release/1.6"
+          pr_body: |
+            **Automated Changes**
+            - :magic_wand: Syncing master to release/1.6
+            
+            Triggered by SHA: _${{ github.sha }}_
+          github_token: ${{ secrets.KICS_BOT_PAT }}

assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative1.yaml

@@ -1,24 +1,24 @@
-#AWSTemplateFormatVersion: 2010-09-09
-#Resources:
-#  Analyzer:
-#    Type: "AWS::AccessAnalyzer::Analyzer"
-#    Properties:
-#      AnalyzerName: MyAccountAnalyzer
-#      Type: ACCOUNT
-#      Tags:
-#        - Key: Kind
-#          Value: Dev
-#      ArchiveRules:
-# Archive findings for a trusted AWS account
-#          RuleName: ArchiveTrustedAccountAccess
-#          Filter:
-#            - Property: "principal.AWS"
-#              Eq:
-#                - "123456789012"
-# Archive findings for known public S3 buckets
-#          RuleName: ArchivePublicS3BucketsAccess
-#          Filter:
-#            - Property: "resource"
-#              Contains:
-#                - "arn:aws:s3:::docs-bucket"
-#                - "arn:aws:s3:::clients-bucket"
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  Analyzer:
+    Type: "AWS::AccessAnalyzer::Analyzer"
+    Properties:
+      AnalyzerName: MyAccountAnalyzer
+      Type: ACCOUNT
+      Tags:
+        - Key: Kind
+          Value: Dev
+      ArchiveRules:
+        - # Archive findings for a trusted AWS account
+          RuleName: ArchiveTrustedAccountAccess
+          Filter:
+            - Property: "principal.AWS"
+              Eq:
+                - "123456789012"
+        - # Archive findings for known public S3 buckets
+          RuleName: ArchivePublicS3BucketsAccess
+          Filter:
+            - Property: "resource"
+              Contains:
+                - "arn:aws:s3:::docs-bucket"
+                - "arn:aws:s3:::clients-bucket"

assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego

@@ -44,7 +44,7 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("apiVersion={{%s}}", [document.apiVersion]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion should be {{%s}}", [metadata.name, recommendedVersions[document.apiVersion][document.kind]]),
-		"keyActualValue": sprintf("metadata.name={{%s}}.apiVersion is deprecated and is {{%s}}", [metadata.name, document.apiVersion]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion of %s should be {{%s}}", [metadata.name,  document.kind, recommendedVersions[document.apiVersion][document.kind]]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.apiVersion of %s  is deprecated and is {{%s}}", [metadata.name, document.kind, document.apiVersion]),
 	}
 }

assets/queries/k8s/tiller_is_deployed/query.rego

@@ -12,8 +12,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'metadata' does not refer any to a Tiller resource",
-		"keyActualValue": "'metadata' refers to a Tiller resource",
+		"keyExpectedValue": sprintf("'metadata' of %s does not refer to any Tiller resource", [document.kind]),
+		"keyActualValue": sprintf("'metadata' of %s refers to a Tiller resource", [document.kind]),
 	}
 }
 
@@ -33,8 +33,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.%s", [metadata.name, types[x]]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'spec.containers' doesn't have any Tiller containers", [types[x]]),
-		"keyActualValue": sprintf("'spec.containers' contains a Tiller container", [types[x]]),
+		"keyExpectedValue": sprintf("'spec.%s' of %s doesn't have any Tiller containers", [types[x], document.kind]),
+		"keyActualValue": sprintf("'spec.%s' of %s contains a Tiller container", [types[x], document.kind]),
 	}
 }
 
@@ -51,8 +51,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.template.metadata", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'spec.template.metadata' does not refer to any Tiller resource",
-		"keyActualValue": "'spec.template.metadata' refers to a Tiller resource",
+		"keyExpectedValue": sprintf("'spec.template.metadata' does not refer to any Tiller resource", [document.kind]),
+		"keyActualValue": sprintf("'spec.template.metadata' refers to a Tiller resource", [document.kind]),
 	}
 }
 
@@ -70,8 +70,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.template.spec.%s", [metadata.name, types[x]]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'spec.template.spec.%s' doesn't have any Tiller containers", [types[x]]),
-		"keyActualValue": sprintf("'spec.template.spec.%s' contains a Tiller container", [types[x]]),
+		"keyExpectedValue": sprintf("'spec.template.spec.%s' of %s doesn't have any Tiller containers", [types[x], document.kind]),
+		"keyActualValue": sprintf("'spec.template.spec.%s' of %s contains a Tiller container", [types[x], document.kind]),
 	}
 }
 

assets/queries/k8s/tiller_service_is_not_deleted/query.rego

@@ -13,8 +13,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "metadata.name does not contain 'tiller'",
-		"keyActualValue": "metadata.name contains 'tiller'",
+		"keyExpectedValue": sprintf("metadata.name of %s does not contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("metadata.name of %s contains 'tiller'", [document.kind]),
 	}
 }
 
@@ -33,8 +33,8 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}", [metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "metadata.labels does not have values that contain 'tiller'",
-		"keyActualValue": sprintf("metadata.labels.%s contains 'tiller'", [j]),
+		"keyExpectedValue": sprintf("metadata.labels of %s does not have values that contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("metadata.labels.%s of %s contains 'tiller'", [document.kind, j]),
 	}
 }
 
@@ -54,7 +54,7 @@ CxPolicy[result] {
 		"resourceName": metadata.name,
 		"searchKey": sprintf("metadata.name={{%s}}.spec.selector.%s", [metadata.name, j]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "spec.selector does not have values that contain 'tiller'",
-		"keyActualValue": sprintf("spec.selector.%s contains 'tiller'", [j]),
+		"keyExpectedValue": sprintf("spec.selector of %s does not have values that contain 'tiller'", [document.kind]),
+		"keyActualValue": sprintf("spec.selector.%s of %s contains 'tiller'", [document.kind, j]),
 	}
 }

assets/queries/terraform/aws/resource_not_using_tags/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Resource Not Using Tags",
   "severity": "INFO",
   "category": "Best Practices",
-  "descriptionText": "AWS services resource tags are an essential part of managing components",
+  "descriptionText": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging",
   "platform": "Terraform",
   "descriptionID": "09db2d52",

assets/queries/terraform/aws/resource_not_using_tags/query.rego

@@ -34,8 +34,8 @@ CxPolicy[result] {
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("%s[{{%s}}].tags", [res, name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("%s[{{%s}}].tags has tags defined other than 'Name'", [res, name]),
-		"keyActualValue": sprintf("%s[{{%s}}].tags has no tags defined", [res, name]),
+		"keyExpectedValue": sprintf("%s[{{%s}}].tags has additional tags defined other than 'Name'", [res, name]),
+		"keyActualValue": sprintf("%s[{{%s}}].tags does not have additional tags defined other than 'Name'", [res, name]),
 	}
 }
 

docs/docker/nightly.csv

@@ -349,3 +349,11 @@ scratch,bce876d1,2022-06-14,sha256:111070b8f387f5c2c0acbd5ca7d820685f1d3a5b0af35
 alpine,bce876d1,2022-06-14,sha256:111070b8f387f5c2c0acbd5ca7d820685f1d3a5b0af35240549c04918655242b
 debian,bce876d1,2022-06-14,sha256:1514d992b223c6df7baa73f1dfab1896991cfd5079e73d0dae7b2a472da599d7
 ubi8,bce876d1,2022-06-14,sha256:2412e4ddb6f7375361bc4f30ddd5293fef63c53c49a29a1210d8d803c5110a1e
+scratch,3330636b,2022-06-20,sha256:b914082a8d09706aa934dcc550afb6da860ae62904a3b9bc9f80a96366c7c9ea
+alpine,3330636b,2022-06-20,sha256:b914082a8d09706aa934dcc550afb6da860ae62904a3b9bc9f80a96366c7c9ea
+debian,3330636b,2022-06-20,sha256:4b3f57a8b6eb835a63c9e6734335de2bd3da9e33c1fa479e61bdf776f79a30a1
+ubi8,3330636b,2022-06-20,sha256:85263019054afa688da5569c3b50f7bd5f746dd557b6af2750e9574cb88c301e
+scratch,b92b481b,2022-06-21,sha256:e8b27472b6999ca9851e95bc62b7891340213d1ba6eadf24e89a202d1f8d5c10
+alpine,b92b481b,2022-06-21,sha256:e8b27472b6999ca9851e95bc62b7891340213d1ba6eadf24e89a202d1f8d5c10
+debian,b92b481b,2022-06-21,sha256:7adb83e7fe52e55d1481e5ccc7488250a58d0a83275b05f3062647259ffb48b5
+ubi8,b92b481b,2022-06-21,sha256:40841db84b700c90b7a762eb30cbb110ae0a67b58ba1d7817adec1d6b4f68582

docs/docker/nightly.md

@@ -350,3 +350,11 @@ scratch  |  bce876d1  |  2022-06-14  |  sha256:111070b8f387f5c2c0acbd5ca7d820685
 alpine   |  bce876d1  |  2022-06-14  |  sha256:111070b8f387f5c2c0acbd5ca7d820685f1d3a5b0af35240549c04918655242b
 debian   |  bce876d1  |  2022-06-14  |  sha256:1514d992b223c6df7baa73f1dfab1896991cfd5079e73d0dae7b2a472da599d7
 ubi8     |  bce876d1  |  2022-06-14  |  sha256:2412e4ddb6f7375361bc4f30ddd5293fef63c53c49a29a1210d8d803c5110a1e
+scratch  |  3330636b  |  2022-06-20  |  sha256:b914082a8d09706aa934dcc550afb6da860ae62904a3b9bc9f80a96366c7c9ea
+alpine   |  3330636b  |  2022-06-20  |  sha256:b914082a8d09706aa934dcc550afb6da860ae62904a3b9bc9f80a96366c7c9ea
+debian   |  3330636b  |  2022-06-20  |  sha256:4b3f57a8b6eb835a63c9e6734335de2bd3da9e33c1fa479e61bdf776f79a30a1
+ubi8     |  3330636b  |  2022-06-20  |  sha256:85263019054afa688da5569c3b50f7bd5f746dd557b6af2750e9574cb88c301e
+scratch  |  b92b481b  |  2022-06-21  |  sha256:e8b27472b6999ca9851e95bc62b7891340213d1ba6eadf24e89a202d1f8d5c10
+alpine   |  b92b481b  |  2022-06-21  |  sha256:e8b27472b6999ca9851e95bc62b7891340213d1ba6eadf24e89a202d1f8d5c10
+debian   |  b92b481b  |  2022-06-21  |  sha256:7adb83e7fe52e55d1481e5ccc7488250a58d0a83275b05f3062647259ffb48b5
+ubi8     |  b92b481b  |  2022-06-21  |  sha256:40841db84b700c90b7a762eb30cbb110ae0a67b58ba1d7817adec1d6b4f68582