bug(cloudformation): elb_with_security_group_without_inbound_rules fails when other SG use AWS::EC2::SecurityGroupIngress

[fischaz]

Description

The rule elb_with_security_group_without_inbound_rules (e200a6f3-c589-49ec-9143-7421d4a2c845) seems to misbehave when there are other AWS::EC2::SecurityGroupIngress for other security group name in the same template document and misfire.

Expected Behavior

The following template would be a valid template IMO:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  AppSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: app security group
      VpcId: vpc-1234
      SecurityGroupEgress:
        - IpProtocol: "tcp"
          FromPort: 443
          ToPort: 443
          CidrIp: "0.0.0.0/0"
          Description: HTTPS

  ALBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: alb security group
      VpcId: vpc-1234
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: "10.0.0.0/8"
          Description: HTTPS
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          DestinationSecurityGroupId: !Ref AppSecurityGroup
          Description: HTTPS connection to app

  # Avoid circular dependence by splitting ingress rules into a separate resource
  AppSecurityGroupFromALB:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref AppSecurityGroup
      IpProtocol: tcp
      FromPort: 8080
      ToPort: 8080
      SourceSecurityGroupId: !Ref ALBSecurityGroup
      Description: HTTPS connection from ALB

  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Scheme: internet-facing
      Subnets:
        - subnet-abc
        - subnet-def
      SecurityGroups:
        - !Ref ALBSecurityGroup

• Creates a Security Group ALBSecurityGroup which is open ingress from 10.0.0.0/8 and egress allow traffic only to the security group AppSecurityGroup
• The security group AppSecurityGroup only allow ingress from ALB Security group ALBSecurityGroup and allow general HTTPS egress (AWS SDK, ...)
• The Load Balancer LoadBalancer attach only to ALBSecurityGroup

In this template, I'm expecting kics to not fire the issue ELB With Security Group Without Inbound Rules as there is clearly a ingress rule on the ALB Attached Security group.

Actual Behavior

With the command:

docker run -t -v $(pwd):/path checkmarx/kics scan -p /path -o "/path/"

Kics Fired the following rule:

{
	"kics_version": "v2.1.3",
	"files_scanned": 1,
	"lines_scanned": 53,
	"files_parsed": 1,
	"lines_parsed": 52,
	"lines_ignored": 1,
	"files_failed_to_scan": 0,
	"queries_total": 500,
	"queries_failed_to_execute": 0,
	"queries_failed_to_compute_similarity_id": 0,
	"scan_id": "console",
	"severity_counters": {
		"CRITICAL": 0,
		"HIGH": 0,
		"INFO": 0,
		"LOW": 1,
		"MEDIUM": 4,
		"TRACE": 0
	},
	"total_counter": 5,
	"total_bom_resources": 0,
	"start": "2024-12-09T04:20:09.207771959Z",
	"end": "2024-12-09T04:20:12.335319002Z",
	"paths": [
		"/path"
	],
	"queries": [
		{
			"query_name": "ELB With Security Group Without Inbound Rules",
			"query_id": "e200a6f3-c589-49ec-9143-7421d4a2c845",
			"query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupingress",
			"severity": "MEDIUM",
			"platform": "CloudFormation",
			"cwe": "665",
			"cloud_provider": "AWS",
			"category": "Networking and Firewall",
			"experimental": false,
			"description": "An AWS Elastic Load Balancer (ELB) shouldn't have security groups without outbound rules",
			"description_id": "3ccdd7d2",
			"files": [
				{
					"file_name": "../../path/template.yml",
					"similarity_id": "d4f4ee0b7e016728139eb87167f62b3ed7939db640bb6286082136fa9c84a4a6",
					"line": 17,
					"resource_type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
					"resource_name": "CerapAppALB",
					"issue_type": "MissingAttribute",
					"search_key": "Resources.ALBSecurityGroup.Properties",
					"search_line": -1,
					"search_value": "",
					"expected_value": "'Resources.ALBSecurityGroup.Properties.SecurityGroupIngress' is defined",
					"actual_value": "'Resources.ALBSecurityGroup.Properties.SecurityGroupIngress' is undefined"
				}
			]
		},
        ]
}

I suspect that the third check in https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/query.rego#L39-L47 is matching the fact that there is a AWS::EC2::SecurityGroupIngress resource, but the groupId is for some other security group.

Steps to Reproduce the Problem

(Command line arguments and flags used)

1. step 1
2. step 2
3. step 3

Specifications

(N/A if not applicable)

• Version: v2.1.3
• Platform: macOS (docker-desktop)
• Subsystem:

[fischaz]

As a side note - in a few place this rule still refer to "outbound" rules instead of inbound:

• https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/metadata.json#L6
• function withoutOutboundRules in https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/query.rego