bug(query): security groups not used query with false positive if security group added in a list #7212
Description
When a security group id added in a list , kics detect unused security group.
example of code sample.zip
module "fake" {
source = "modules/fake"
security_group_id = [aws_security_group.main.id]
}
this workaround doesn't trigger "security groups not used"
locals {
security_group_id = aws_security_group.main.id
}
module "fake" {
source = "modules/fake"
security_group_id = [local.security_group_id]
}
Expected Behavior
No detection of security group Not Used
Actual Behavior
Security Group Not Used, Severity: INFO, Results: 1
Description: Security group must be used or not declared
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24
[1]: ../../path/main.tf:1
001: resource "aws_security_group" "main" {
002: name = "test"
003: description = "test"
Steps to Reproduce the Problem
- docker run -t -v ./:/path checkmarx/kics scan -p /path
Specifications
(N/A if not applicable)
- Version: 2.1.1
- Platform: windows
- Subsystem: WSL ubuntu