Checkmarx · rafaela-soares · Aug 23, 2022 · Jun 28, 2022 · Jul 3, 2022 · Jul 13, 2022
@@ -1,9 +1,9 @@
 {
   "id": "f5f38943-664b-4acc-ab11-f292fa10ed0b",
   "queryName": "API Gateway without WAF",
-	"severity": "MEDIUM",
+  "severity": "MEDIUM",
   "category": "Networking and Firewall",
-	"descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled",
+  "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn",
   "platform": "Ansible",
   "descriptionID": "8e789062",

@@ -1,6 +1,6 @@
 {
   "id": "d31cb911-bf5b-4eb6-9fc3-16780c77c7bd",
-  "queryName": "Cloudfront Logging Disabled",
+  "queryName": "CloudFront Logging Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
   "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true",

@@ -1,11 +1,11 @@
 [
   {
-    "queryName": "Cloudfront Logging Disabled",
+    "queryName": "CloudFront Logging Disabled",
     "severity": "MEDIUM",
     "line": 2
   },
   {
-    "queryName": "Cloudfront Logging Disabled",
+    "queryName": "CloudFront Logging Disabled",
     "severity": "MEDIUM",
     "line": 62
   }

@@ -1,6 +1,6 @@
 {
   "id": "22c80725-e390-4055-8d14-a872230f6607",
-  "queryName": "Cloudfront Without WAF",
+  "queryName": "CloudFront Without WAF",
   "severity": "LOW",
   "category": "Networking and Firewall",
   "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service",

@@ -1,6 +1,6 @@
 [
 	{
-		"queryName": "Cloudfront Without WAF",
+		"queryName": "CloudFront Without WAF",
 		"severity": "LOW",
 		"line": 2
 	}

@@ -3,7 +3,7 @@
   "queryName": "CloudTrail Log File Validation Disabled",
   "severity": "LOW",
   "category": "Observability",
-  "descriptionText": "CloudTrail Log Files should have validation enabled",
+  "descriptionText": "CloudTrail log file validation should be enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",
   "platform": "Ansible",
   "descriptionID": "04302074",

@@ -3,7 +3,7 @@
   "queryName": "CloudTrail Log Files Not Encrypted With CMK",
   "severity": "LOW",
   "category": "Encryption",
-  "descriptionText": "CloudTrail Log Files should be encrypted with Key Management Service (KMS)",
+  "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",
   "platform": "Ansible",
   "descriptionID": "d3b81fde",

@@ -3,7 +3,7 @@
   "queryName": "Hardcoded AWS Access Key",
   "severity": "LOW",
   "category": "Secret Management",
-  "descriptionText": "Check if the user data in the EC2 instance has the access key hardcoded",
+  "descriptionText": "AWS Access Key should not be hardcoded",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_instance_module.html",
   "platform": "Ansible",
   "descriptionID": "d764256e",

@@ -3,7 +3,7 @@
   "queryName": "Hardcoded AWS Access Key In Lambda",
   "severity": "MEDIUM",
   "category": "Secret Management",
-  "descriptionText": "Lambda access key should not be in plaintext.",
+  "descriptionText": "Lambda access/secret keys should not be in plaintext",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html",
   "platform": "Ansible",
   "descriptionID": "fc78f6de",

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Number",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has at least one number",
+  "descriptionText": "IAM user resource Login Profile Password should have at least one number",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "c4ca592e",

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Logging Disabled",
   "severity": "LOW",
   "category": "Observability",
-  "descriptionText": "S3 bucket without debug_botocore_endpoint_logs",
+  "descriptionText": "Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-debug_botocore_endpoint_logs",
   "platform": "Ansible",
   "descriptionID": "2b508aee",

@@ -1,6 +1,6 @@
 {
   "id": "7af1c447-c014-4f05-bd8b-ebe3a15734ac",
-  "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+  "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
   "severity": "MEDIUM",
   "category": "Networking and Firewall",
   "descriptionText": "Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.",

@@ -1,26 +1,26 @@
 [
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 9
   },
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 23
   },
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 37
   },
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 51
   },
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 65
   }

@@ -1,6 +1,6 @@
 {
   "id": "e1e7b278-2a8b-49bd-a26e-66a7f70b17eb",
-  "queryName": "SQS with SSE disabled",
+  "queryName": "SQS With SSE Disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",

@@ -1,21 +1,21 @@
 [
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 2
   },
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 16
   },
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 22
   },
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 29
   }

@@ -3,7 +3,7 @@
   "queryName": "User Data Contains Encoded Private Key",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "User Data contains an encoded RSA Private Key",
+  "descriptionText": "User Data should not contain an encoded RSA Private Key",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html",
   "platform": "Ansible",
   "descriptionID": "45cb51c3",

@@ -3,7 +3,7 @@
   "queryName": "Azure Container Registry With No Locks",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association",
+  "descriptionText": "Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_lock_module.html",
   "platform": "Ansible",
   "descriptionID": "7489a85f",

@@ -3,7 +3,7 @@
   "queryName": "Public Storage Account",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "Check if 'network_acls' is open to public.",
+  "descriptionText": "Storage Account should not be public",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls",
   "platform": "Ansible",
   "descriptionID": "78d2c5b3",

@@ -2,7 +2,7 @@
   "id": "869e7fb4-30f0-4bdb-b360-ad548f337f2f",
   "queryName": "Redis Cache Allows Non SSL Connections",
   "severity": "MEDIUM",
-  "category": "Insecure Configurations",
+  "category": "Encryption",
   "descriptionText": "Check if any Redis Cache resource allows non-SSL connections.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html",
   "platform": "Ansible",

@@ -2,7 +2,7 @@
   "id": "be41f891-96b1-4b9d-b74f-b922a918c778",
   "queryName": "COS Node Image Not Used",
   "severity": "HIGH",
-  "category": "Resource Management",
+  "category": "Insecure Configurations",
   "descriptionText": "The node image should be Container-Optimized OS(COS)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type",
   "platform": "Ansible",

@@ -3,7 +3,7 @@
   "queryName": "Google Compute Subnetwork with Private Google Access Disabled",
   "severity": "LOW",
   "category": "Networking and Firewall",
-  "descriptionText": "Google Compute Subnetwork should have 'private_ip_google_access' set to yes",
+  "descriptionText": "Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access",
   "platform": "Ansible",
   "descriptionID": "f5dece39",

diff --git a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "High Google KMS Crypto Key Rotation Period",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": "Make sure Encryption keys changes after 90 days",
+  "descriptionText": "Make sure Encryption keys change after 90 days",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html",
   "platform": "Ansible",
   "descriptionID": "9072f426",

@@ -3,7 +3,7 @@
   "queryName": "High KMS Rotation Period",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "Check if any KMS rotation period surpasses 365 days.",
+  "descriptionText": "Check that keys aren't the same for a period greater than 365 days.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html",
   "platform": "Ansible",
   "descriptionID": "46702906",

@@ -2,8 +2,8 @@
   "id": "c6fc6f29-dc04-46b6-99ba-683c01aff350",
   "queryName": "Serial Ports Are Enabled For VM Instances",
   "severity": "MEDIUM",
-  "category": "Networking and Firewall",
-  "descriptionText": "Check if serial ports are enabled in Google Compute Engine VM instances",
+  "category": "Insecure Configurations",
+  "descriptionText": "Google Compute Engine VM instances should not enable serial ports",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html",
   "platform": "Ansible",
   "descriptionID": "7f8ab7a4",

@@ -3,7 +3,7 @@
   "queryName": "SSH Access Is Not Restricted",
   "severity": "MEDIUM",
   "category": "Networking and Firewall",
-  "descriptionText": "Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).",
+  "descriptionText": "Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html",
   "platform": "Ansible",
   "descriptionID": "1b0564ad",

@@ -2,7 +2,7 @@
   "id": "2775e169-e708-42a9-9305-b58aadd2c4dd",
   "queryName": "Using Default Service Account",
   "severity": "MEDIUM",
-  "category": "Insecure Defaults",
+  "category": "Insecure Configurations",
   "descriptionText": "Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html",
   "platform": "Ansible",

@@ -3,7 +3,7 @@
   "queryName": "CodeBuild Not Encrypted",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": "CodeBuild Should have EncryptionKey defined",
+  "descriptionText": "CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html",
   "platform": "CloudFormation",
   "descriptionID": "3e1306b1",

@@ -1,6 +1,6 @@
 {
   "id": "9564406d-e761-4e61-b8d7-5926e3ab8e79",
-  "queryName": "DB Security Group with Public Scope",
+  "queryName": "DB Security Group With Public Scope",
   "severity": "HIGH",
   "category": "Networking and Firewall",
   "descriptionText": "The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).",

@@ -3,36 +3,36 @@
     "severity": "HIGH",
     "line": 6,
     "fileName": "positive1.yaml",
-    "queryName": "DB Security Group with Public Scope"
+    "queryName": "DB Security Group With Public Scope"
   },
   {
-    "queryName": "DB Security Group with Public Scope",
+    "queryName": "DB Security Group With Public Scope",
     "severity": "HIGH",
     "line": 6,
     "fileName": "positive3.yaml"
   },
   {
-    "queryName": "DB Security Group with Public Scope",
+    "queryName": "DB Security Group With Public Scope",
     "severity": "HIGH",
     "line": 19,
     "fileName": "positive2.yaml"
   },
   {
-    "queryName": "DB Security Group with Public Scope",
+    "queryName": "DB Security Group With Public Scope",
     "severity": "HIGH",
     "line": 6,
     "fileName": "positive4.json"
   },
   {
-    "queryName": "DB Security Group with Public Scope",
+    "queryName": "DB Security Group With Public Scope",
     "severity": "HIGH",
     "line": 24,
     "fileName": "positive5.json"
   },
   {
     "line": 15,
     "fileName": "positive6.json",
-    "queryName": "DB Security Group with Public Scope",
+    "queryName": "DB Security Group With Public Scope",
     "severity": "HIGH"
   }
 ]
diff --git a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "01986452-bdd8-4aaa-b5df-d6bf61d616ff",
-  "queryName": "ECS Service Admin Role Is Present",
+  "queryName": "ECS Service Admin Role is Present",
   "severity": "HIGH",
   "category": "Access Control",
   "descriptionText": "ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role",

diff --git a/...s/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/...s/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json
@@ -1,12 +1,12 @@
 [
   {
-    "queryName": "ECS Service Admin Role Is Present",
+    "queryName": "ECS Service Admin Role is Present",
     "severity": "HIGH",
     "line": 87,
     "fileName": "positive1.yaml"
   },
   {
-    "queryName": "ECS Service Admin Role Is Present",
+    "queryName": "ECS Service Admin Role is Present",
     "severity": "HIGH",
     "line": 66,
     "fileName": "positive2.json"

@@ -3,7 +3,7 @@
   "queryName": "Hardcoded AWS Access Key In Lambda",
   "severity": "MEDIUM",
   "category": "Secret Management",
-  "descriptionText": "Lambda hardcoded AWS access/secret keys",
+  "descriptionText": "Lambda access/secret keys should not be in plaintext",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-environment",
   "platform": "CloudFormation",
   "descriptionID": "ff065e3b",

@@ -1,6 +1,6 @@
 {
   "id": "12726829-93ed-4d51-9cbe-13423f4299e1",
-  "queryName": "SQS with SSE disabled",
+  "queryName": "SQS With SSE Disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",

@@ -1,12 +1,12 @@
 [
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 4,
     "fileName": "positive1.yaml"
   },
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 5,
     "fileName": "positive2.json"