Skip to content

fix(query): fix EFS Volume With Disabled Transit Encryption queries for multiple volumes cases #7947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cx-artur-ribeiro wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix(query): fix EFS Volume With Disabled Transit Encryption queries for multiple volumes cases #7947

cx-artur-ribeiro wants to merge 3 commits into from
+1,124 −61

Conversation

@cx-artur-ribeiro
Copy link
Contributor

@cx-artur-ribeiro cx-artur-ribeiro commented Jan 15, 2026
edited
Loading

Reason for Proposed Changes

  • The EFS Volume With Disabled Transit Encryption Terraform query did not account for multiple volumes in a single aws_ecs_task_definition resource, causing all volumes to generate identical similarityIDs. Without volume indexing in the searchKey and searchLine, KICS silently deduplicated vulnerability reports, leaving security issues in additional volumes undetected.
  • Terraform Query: Did not explicitly index volumes (resource.volume instead of resource.volume[vol_idx]), causing all volumes to generate identical searchKeys and searchLines;
  • CloudFormation Query: Used a helper function that produced multiple outputs for the same inputs, triggering eval_conflict_error and preventing the query from executing;
  • No test cases validated multiple volumes in a single resource, allowing the bug to go undetected;

Proposed Changes

  • Terraform Query Refactoring
    • Added volume indexing: Changed from resource.volume to resource.volume[vol_idx] to capture array indices
    • Added structure detection: Implemented is_array() checks to handle both:
      • Single volume (object): "volume": {...};
      • Multiple volumes (array): "volume": [{...}, {...}];
    • Created helper functions:
      • get_volumes(): Normalizes both structures, returning volume objects with indices;
      • get_search_key(): Builds unique searchKeys including volume index when present;
      • get_search_line(): Inserts volume index into searchLine path for proper identification;
    • Each volume now generates a unique similarityID, ensuring all vulnerabilities are reported;
  • CloudFormation Query Refactoring
    • Removed is_transit_encryption_disabled() that caused eval_conflict_error;
    • Flattened to 4 independent CxPolicy rules:
      1. TransitEncryption explicitly set to non-ENABLED value
      2. TransitEncryption attribute missing (with null check to prevent overlap)
      3. EFSVolumeConfiguration block missing
      4. Volumes property missing entirely
  • Terraform Tests:
    • positive1-3.tf: Single volume scenarios (DISABLED, missing attribute, missing config);
    • positive4-6.tf: Multiple volume scenarios (2 volumes each with same issue type);
    • positive7.tf: Mixed scenario (one good volume, one bad volume);
    • negative1-2.tf: Properly configured resources (single and multiple volumes);
  • CloudFormation Tests:
    • positive1-8: Single volume scenarios in both JSON and YAML;
    • positive9-11: Multiple volume scenarios in both JSON and YAML;
    • positive12: Mixed scenario in both JSON and YAML;
    • negative1-3: Properly configured resources in JSON and YAML;

I submit this contribution under the Apache-2.0 license.

@cx-artur-ribeiro cx-artur-ribeiro self-assigned this Jan 15, 2026
@cx-artur-ribeiro cx-artur-ribeiro added cloudformation CloudFormation query terraform Terraform query labels Jan 15, 2026
@github-actions github-actions bot added query New query feature and removed cloudformation CloudFormation query terraform Terraform query labels Jan 15, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 15, 2026

kics-logo

KICS version: v2.1.18

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

@github-actions github-actions bot added bug Something isn't working cloudformation CloudFormation query terraform Terraform query aws PR related with AWS Cloud labels Jan 15, 2026
@cx-artur-ribeiro cx-artur-ribeiro marked this pull request as ready for review January 15, 2026 13:40
@cx-artur-ribeiro cx-artur-ribeiro requested a review from a team as a code owner January 15, 2026 13:40
cx-eduardo-semanas
cx-eduardo-semanas approved these changes Jan 16, 2026
View reviewed changes
Copy link
Contributor

@cx-eduardo-semanas cx-eduardo-semanas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-eduardo-semanas cx-eduardo-semanas cx-eduardo-semanas approved these changes

Assignees

@cx-artur-ribeiro cx-artur-ribeiro

Labels

aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cx-artur-ribeiro @cx-eduardo-semanas