Merge pull request #6966 from Checkmarx/kics-748-update-query-metadata

feat(kics): critical severity added into KICS

assets/queries/ansible/aws/alb_listening_on_http/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "f81d63d2-c5d7-43a4-a5b5-66717a41c895",
   "queryName": "ALB Listening on HTTP",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Networking and Firewall",
   "descriptionText": "AWS Application Load Balancer (alb) should not listen on HTTP",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html",
   "platform": "Ansible",
   "descriptionID": "3a7576e5",
   "cloudProvider": "aws",
-  "cwe": ""
-}
+  "cwe": "",
+  "oldSeverity": "HIGH"
+}

assets/queries/ansible/aws/ami_not_encrypted/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "97707503-a22c-4cd7-b7c0-f088fa7cf830",
   "queryName": "AMI Not Encrypted",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "AWS AMI Encryption is not enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html",
   "platform": "Ansible",
   "descriptionID": "a4342f08",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "HIGH"
 }

assets/queries/ansible/aws/api_gateway_xray_disabled/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "2059155b-27fd-441e-b616-6966c468561f",
   "queryName": "API Gateway X-Ray Disabled",
-  "severity": "MEDIUM",
+  "severity": "LOW",
   "category": "Observability",
   "descriptionText": "API Gateway should have X-Ray Tracing enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html#parameter-tracing_enabled",
   "platform": "Ansible",
   "descriptionID": "57da10ee",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/authentication_without_mfa/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "eee107f9-b3d8-45d3-b9c6-43b5a7263ce1",
   "queryName": "Authentication Without MFA",
-  "severity": "HIGH",
+  "severity": "LOW",
   "category": "Access Control",
   "descriptionText": "Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_mfa_device_info_module.html",
   "platform": "Ansible",
   "descriptionID": "36040ce0",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "HIGH"
 }

assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "e28ceb92-d588-4166-aac5-766c8f5b7472",
   "queryName": "AWS Password Policy With Unchangeable Passwords",
-  "severity": "MEDIUM",
+  "severity": "LOW",
   "category": "Insecure Configurations",
   "descriptionText": "Unchangeable passwords in AWS password policy",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "5a7cf92f",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce",
   "queryName": "CA Certificate Identifier Is Outdated",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "The CA certificate Identifier must be 'rds-ca-2019'.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-ca_certificate_identifier",
   "platform": "Ansible",
   "descriptionID": "d92aa922",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "HIGH"
 }

assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "d0c13053-d2c8-44a6-95da-d592996e9e67",
   "queryName": "CloudFront Without Minimum Protocol TLS 1.2",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Insecure Configurations",
   "descriptionText": "CloudFront Minimum Protocol version should be at least TLS 1.2",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html#parameter-viewer_certificate/minimum_protocol_version",
   "platform": "Ansible",
   "descriptionID": "b0a58f2f",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "HIGH"
 }

assets/queries/ansible/aws/cloudfront_without_waf/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "22c80725-e390-4055-8d14-a872230f6607",
   "queryName": "CloudFront Without WAF",
-  "severity": "LOW",
+  "severity": "MEDIUM",
   "category": "Networking and Firewall",
   "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html",
   "platform": "Ansible",
   "descriptionID": "7fd7e5c0",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "LOW"
 }

assets/queries/ansible/aws/cloudtrail_logging_disabled/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5",
   "queryName": "CloudTrail Logging Disabled",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Observability",
   "descriptionText": "Checks if logging is enabled for CloudTrail.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-enable_logging",
   "platform": "Ansible",
   "descriptionID": "c29f6786",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "HIGH"
 }

assets/queries/ansible/aws/cloudtrail_multi_region_disabled/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "6ad087d7-a509-4b20-b853-9ef6f5ebaa98",
   "queryName": "CloudTrail Multi Region Disabled",
-  "severity": "MEDIUM",
+  "severity": "LOW",
   "category": "Observability",
   "descriptionText": "CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-is_multi_region_trail",
   "platform": "Ansible",
   "descriptionID": "8c4873bf",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "ebb2118a-03bc-4d53-ab43-d8750f5cb8d3",
   "queryName": "CloudTrail Not Integrated With CloudWatch",
-  "severity": "MEDIUM",
+  "severity": "LOW",
   "category": "Observability",
   "descriptionText": "CloudTrail should be integrated with CloudWatch",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",
   "platform": "Ansible",
   "descriptionID": "fbc987a2",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "5ba316a9-c466-4ec1-8d5b-bc6107dc9a92",
   "queryName": "CloudTrail SNS Topic Name Undefined",
-  "severity": "MEDIUM",
+  "severity": "INFO",
   "category": "Observability",
   "descriptionText": "Check if SNS topic name is set for CloudTrail",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",
   "platform": "Ansible",
   "descriptionID": "de97fa1a",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "e24e18d9-4c2b-4649-b3d0-18c088145e24",
   "queryName": "CloudWatch Without Retention Period Specified",
-  "severity": "MEDIUM",
+  "severity": "INFO",
   "category": "Observability",
   "descriptionText": "AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html",
   "platform": "Ansible",
   "descriptionID": "c48a227e",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/cmk_rotation_disabled/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "af96d737-0818-4162-8c41-40d969bd65d1",
   "queryName": "CMK Rotation Disabled",
-  "severity": "HIGH",
+  "severity": "LOW",
   "category": "Observability",
   "descriptionText": "Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enable_key_rotation",
   "platform": "Ansible",
   "descriptionID": "177ee908",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "HIGH"
 }

assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "a2fdf451-89dd-451e-af92-bf6c0f4bab96",
   "queryName": "Configuration Aggregator to All Regions Disabled",
-  "severity": "MEDIUM",
+  "severity": "LOW",
   "category": "Observability",
   "descriptionText": "AWS Config Configuration Aggregator All Regions must be set to True",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_aggregator_module.html#parameter-organization_source",
   "platform": "Ansible",
   "descriptionID": "c6e4ac23",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "7674a686-e4b1-4a95-83d4-1fd53c623d84",
   "queryName": "Config Rule For Encrypted Volumes Disabled",
-  "severity": "MEDIUM",
+  "severity": "HIGH",
   "category": "Encryption",
   "descriptionText": "Check if AWS config rules do not identify Encrypted Volumes as a source.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_rule_module.html#parameter-source/identifier",
   "platform": "Ansible",
   "descriptionID": "5b434d3f",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "af167837-9636-4086-b815-c239186b9dda",
   "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA",
-  "severity": "MEDIUM",
+  "severity": "HIGH",
   "category": "Access Control",
   "descriptionText": "Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_role_module.html#parameter-assume_role_policy_document",
   "platform": "Ansible",
   "descriptionID": "54f0a7dd",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "0956aedf-6a7a-478b-ab56-63e2b19923ad",
   "queryName": "DB Security Group With Public Scope",
-  "severity": "HIGH",
+  "severity": "CRITICAL",
   "category": "Networking and Firewall",
   "descriptionText": "The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html",
   "platform": "Ansible",
   "descriptionID": "47a14ee4",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "HIGH"
 }

assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "4b6012e7-7176-46e4-8108-e441785eae57",
   "queryName": "EBS Volume Encryption Disabled",
-  "severity": "MEDIUM",
+  "severity": "HIGH",
   "category": "Encryption",
   "descriptionText": "EBS volumes should be encrypted",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted",
   "platform": "Ansible",
   "descriptionID": "06f72385",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/ec2_instance_has_public_ip/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1",
   "queryName": "EC2 Instance Has Public IP",
-  "severity": "HIGH",
+  "severity": "MEDIUM",
   "category": "Networking and Firewall",
   "descriptionText": "EC2 Instance should not have a public IP address.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-assign_public_ip",
   "platform": "Ansible",
   "descriptionID": "f32c5d88",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "HIGH"
 }

assets/queries/ansible/aws/ec2_instance_using_default_security_group/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "8d03993b-8384-419b-a681-d1f55149397c",
   "queryName": "EC2 Instance Using Default Security Group",
-  "severity": "LOW",
+  "severity": "MEDIUM",
   "category": "Access Control",
   "descriptionText": "EC2 instances should not use default security group(s)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-group",
   "platform": "Ansible",
   "descriptionID": "cc323109",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "LOW"
 }

assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "fb5a5df7-6d74-4243-ab82-ff779a958bfd",
   "queryName": "ECR Repository Is Publicly Accessible",
-  "severity": "MEDIUM",
+  "severity": "CRITICAL",
   "category": "Access Control",
   "descriptionText": "Amazon ECR image repositories shouldn't have public access",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html#parameter-policy",
   "platform": "Ansible",
   "descriptionID": "060d624f",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }

assets/queries/ansible/aws/ecs_service_without_running_tasks/metadata.json

@@ -1,12 +1,13 @@
 {
   "id": "f5c45127-1d28-4b49-a692-0b97da1c3a84",
   "queryName": "ECS Service Without Running Tasks",
-  "severity": "MEDIUM",
+  "severity": "LOW",
   "category": "Availability",
   "descriptionText": "ECS Service should have at least 1 task running",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html#ansible-collections-community-aws-ecs-service-module",
   "platform": "Ansible",
   "descriptionID": "dce30fcb",
   "cloudProvider": "aws",
-  "cwe": ""
+  "cwe": "",
+  "oldSeverity": "MEDIUM"
 }