fix(queries): align queries cross different platforms

assets/queries/ansible/aws/api_gateway_without_waf/metadata.json

@@ -1,9 +1,9 @@
 {
   "id": "f5f38943-664b-4acc-ab11-f292fa10ed0b",
   "queryName": "API Gateway without WAF",
-	"severity": "MEDIUM",
+  "severity": "MEDIUM",
   "category": "Networking and Firewall",
-	"descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled",
+  "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn",
   "platform": "Ansible",
   "descriptionID": "8e789062",

assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "CloudTrail Log File Validation Disabled",
   "severity": "LOW",
   "category": "Observability",
-  "descriptionText": "CloudTrail Log Files should have validation enabled",
+  "descriptionText": "CloudTrail log file validation should be enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",
   "platform": "Ansible",
   "descriptionID": "04302074",

assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "CloudTrail Log Files Not Encrypted With CMK",
   "severity": "LOW",
   "category": "Encryption",
-  "descriptionText": "CloudTrail Log Files should be encrypted with Key Management Service (KMS)",
+  "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",
   "platform": "Ansible",
   "descriptionID": "d3b81fde",

assets/queries/ansible/aws/db_instance_publicly_accessible/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "DB Instance Publicly Accessible",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').",
+  "descriptionText": "RDS must not be defined with public interface.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade",
   "platform": "Ansible",
   "descriptionID": "e1b53fb6",

assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Hardcoded AWS Access Key In Lambda",
   "severity": "MEDIUM",
   "category": "Secret Management",
-  "descriptionText": "Lambda access key should not be in plaintext.",
+  "descriptionText": "Lambda hardcoded AWS access/secret keys",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html",
   "platform": "Ansible",
   "descriptionID": "fc78f6de",

assets/queries/ansible/aws/iam_password_without_number/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Number",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has at least one number",
+  "descriptionText": "IAM user resource Login Profile Password should have at least one number",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "c4ca592e",

assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Logging Disabled",
   "severity": "LOW",
   "category": "Observability",
-  "descriptionText": "S3 bucket without debug_botocore_endpoint_logs",
+  "descriptionText": "Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-debug_botocore_endpoint_logs",
   "platform": "Ansible",
   "descriptionID": "2b508aee",

assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "7af1c447-c014-4f05-bd8b-ebe3a15734ac",
-  "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+  "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
   "severity": "MEDIUM",
   "category": "Networking and Firewall",
   "descriptionText": "Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.",

assets/queries/ansible/aws/stack_notifications_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Stack Notifications Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
-  "descriptionText": "AWS CloudFormation should have stack notifications enabled",
+  "descriptionText": "Enable AWS CloudFormation Stack Notifications",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html#parameter-notification_arns",
   "platform": "Ansible",
   "descriptionID": "59f8905d",

assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Azure Container Registry With No Locks",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association",
+  "descriptionText": "Azurerm Container Registry Should Contain Associated Locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_lock_module.html",
   "platform": "Ansible",
   "descriptionID": "7489a85f",

assets/queries/ansible/azure/public_storage_account/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Public Storage Account",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "Check if 'network_acls' is open to public.",
+  "descriptionText": "Storage Account should not be public",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls",
   "platform": "Ansible",
   "descriptionID": "78d2c5b3",

assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json

@@ -2,7 +2,7 @@
   "id": "869e7fb4-30f0-4bdb-b360-ad548f337f2f",
   "queryName": "Redis Cache Allows Non SSL Connections",
   "severity": "MEDIUM",
-  "category": "Insecure Configurations",
+  "category": "Encryption",
   "descriptionText": "Check if any Redis Cache resource allows non-SSL connections.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html",
   "platform": "Ansible",

assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json

@@ -2,7 +2,7 @@
   "id": "be41f891-96b1-4b9d-b74f-b922a918c778",
   "queryName": "COS Node Image Not Used",
   "severity": "HIGH",
-  "category": "Resource Management",
+  "category": "Insecure Configurations",
   "descriptionText": "The node image should be Container-Optimized OS(COS)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type",
   "platform": "Ansible",

assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Google Compute Subnetwork with Private Google Access Disabled",
   "severity": "LOW",
   "category": "Networking and Firewall",
-  "descriptionText": "Google Compute Subnetwork should have 'private_ip_google_access' set to yes",
+  "descriptionText": "Google Compute Subnetwork should have Private Google Access enabled.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access",
   "platform": "Ansible",
   "descriptionID": "f5dece39",

assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "High Google KMS Crypto Key Rotation Period",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": "Make sure Encryption keys changes after 90 days",
+  "descriptionText": "Make sure Encryption keys change after 90 days",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html",
   "platform": "Ansible",
   "descriptionID": "9072f426",

assets/queries/ansible/gcp/high_kms_rotation_period/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "High KMS Rotation Period",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "Check if any KMS rotation period surpasses 365 days.",
+  "descriptionText": "Check that keys aren't the same for a period greater than 365 days.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html",
   "platform": "Ansible",
   "descriptionID": "46702906",

assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json

@@ -2,7 +2,7 @@
   "id": "c6fc6f29-dc04-46b6-99ba-683c01aff350",
   "queryName": "Serial Ports Are Enabled For VM Instances",
   "severity": "MEDIUM",
-  "category": "Networking and Firewall",
+  "category": "Insecure Configurations",
   "descriptionText": "Check if serial ports are enabled in Google Compute Engine VM instances",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html",
   "platform": "Ansible",

assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "SSH Access Is Not Restricted",
   "severity": "MEDIUM",
   "category": "Networking and Firewall",
-  "descriptionText": "Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).",
+  "descriptionText": "Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html",
   "platform": "Ansible",
   "descriptionID": "1b0564ad",

assets/queries/ansible/gcp/using_default_service_account/metadata.json

@@ -2,7 +2,7 @@
   "id": "2775e169-e708-42a9-9305-b58aadd2c4dd",
   "queryName": "Using Default Service Account",
   "severity": "MEDIUM",
-  "category": "Insecure Defaults",
+  "category": "Insecure Configurations",
   "descriptionText": "Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html",
   "platform": "Ansible",

assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "de77cd9f-0e8b-46cc-b4a4-b6b436838642",
-  "queryName": "CloudFront Logging Disabled",
+  "queryName": "Cloudfront Logging Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
   "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'DistributionConfig.Logging' must be defined",

assets/queries/cloudFormation/aws/cloudfront_without_waf/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "0f139403-303f-467c-96bd-e717e6cfd62d",
-  "queryName": "CloudFront Without WAF",
+  "queryName": "Cloudfront Without WAF",
   "severity": "LOW",
   "category": "Networking and Firewall",
   "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service",

assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "CodeBuild Not Encrypted",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": "CodeBuild Should have EncryptionKey defined",
+  "descriptionText": "CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html",
   "platform": "CloudFormation",
   "descriptionID": "3e1306b1",

assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "9564406d-e761-4e61-b8d7-5926e3ab8e79",
-  "queryName": "DB Security Group with Public Scope",
+  "queryName": "DB Security Group With Public Scope",
   "severity": "HIGH",
   "category": "Networking and Firewall",
   "descriptionText": "The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).",

assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "01986452-bdd8-4aaa-b5df-d6bf61d616ff",
-  "queryName": "ECS Service Admin Role Is Present",
+  "queryName": "ECS Service Admin Role is Present",
   "severity": "HIGH",
   "category": "Access Control",
   "descriptionText": "ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role",

assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "User Data Contains Encoded Private Key",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "User Data Base64 contains an encoded RSA Private Key",
+  "descriptionText": "User Data contains an encoded RSA Private Key",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html",
   "platform": "CloudFormation",
   "descriptionID": "b8212287",

assets/queries/terraform/aws/authentication_without_mfa/metadata.json

@@ -1,8 +1,8 @@
 {
   "id": "3ddfa124-6407-4845-a501-179f90c65097",
   "queryName": "Authentication Without MFA",
-  "severity": "HIGH",
-  "category": "Insecure Configurations",
+  "severity": "MEDIUM",
+  "category": "Best Practices",
   "descriptionText": "Users should authenticate with MFA (Multi-factor Authentication)",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy",
   "platform": "Terraform",

assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "9f40c07e-699e-4410-8856-3ba0f2e3a2dd",
-  "queryName": "CA certificate Identifier is outdated",
+  "queryName": "CA Certificate Identifier Is Outdated",
   "severity": "HIGH",
   "category": "Encryption",
   "descriptionText": "The CA certificate Identifier must be 'rds-ca-2019'.",

assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json

@@ -2,7 +2,7 @@
   "id": "5d9e3164-9265-470c-9a10-57ae454ac0c7",
   "queryName": "CloudTrail Log Files Not Encrypted With CMK",
   "severity": "LOW",
-  "category": "Observability",
+  "category": "Encryption",
   "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id",
   "platform": "Terraform",

assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "e979fcbc-df6c-422d-9458-c33d65e71c45",
-  "queryName": "Elasticsearch Without Slow Logs",
+  "queryName": "ElasticSearch Without Slow Logs",
   "severity": "MEDIUM",
   "category": "Observability",
   "descriptionText": "Ensure that AWS Elasticsearch enables support for slow logs",

assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Hardcoded AWS Access Key",
   "severity": "LOW",
   "category": "Secret Management",
-  "descriptionText": "Hard-coded AWS access key / secret key exists in EC2 user data",
+  "descriptionText": "Check if the user data in the EC2 instance has the access key hardcoded",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance",
   "platform": "Terraform",
   "descriptionID": "9e8cbdfb",

assets/queries/terraform/aws/sqs_with_sse_disabled/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "6e8849c1-3aa7-40e3-9063-b85ee300f29f",
-  "queryName": "SQS With SSE Disabled",
+  "queryName": "SQS with SSE disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",

assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "User Data Contains Encoded Private Key",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "User Data Base64 contains an encoded RSA Private Key",
+  "descriptionText": "User Data contains an encoded RSA Private Key",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64",
   "platform": "Terraform",
   "descriptionID": "e3b3b5c1",

assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "AKS Network Policy Misconfigured",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.",
+  "descriptionText": "Azure Kubernetes Service should have the proper network policy configuration",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster",
   "platform": "Terraform",
   "descriptionID": "7708dadb",

assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Azure Container Registry With No Locks",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "Azurerm Container Registry Must Contain Associated Locks ",
+  "descriptionText": "Azurerm Container Registry Should Contain Associated Locks",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry",
   "platform": "Terraform",
   "descriptionID": "adb235b6",

assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "CosmosDB Account IP Range Filter Not Set",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The Ip Range Must Contain Ips",
+  "descriptionText": "The IP range filter should be defined",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#ip_range_filter",
   "platform": "Terraform",
   "descriptionID": "fd34a2d6",

assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Role Definition Allows Custom Role Creation",
   "severity": "MEDIUM",
   "category": "Access Control",
-  "descriptionText": "Role Definition should not allow custom role creation",
+  "descriptionText": "Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions",
   "platform": "Terraform",
   "descriptionID": "a96dc1b9",

assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Unrestricted SQL Server Access",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'",
+  "descriptionText": "Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule",
   "platform": "Terraform",
   "descriptionID": "837de8dd",

assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Google Compute Subnetwork with Private Google Access Disabled",
   "severity": "LOW",
   "category": "Networking and Firewall",
-  "descriptionText": "Google Compute Subnetwork should have 'private_ip_google_access' set to true",
+  "descriptionText": "Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#private_ip_google_access",
   "platform": "Terraform",
   "descriptionID": "87e8a4f7",

assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Serial Ports Are Enabled For VM Instances",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "Check if VM instance enables serial ports",
+  "descriptionText": "Check if serial ports are enabled in Google Compute Engine VM instances",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance",
   "platform": "Terraform",
   "descriptionID": "2967cde6",