fix(query): fixed false positive for website with client certificate auth disabled and azure app service client certificate disabled

[cx-ricardo-jesus]

Reason for Proposed Changes

• The query Website with Client Certificate Auth Disabled (ARM), currently return's a positive result however, it should not return this positive result if the application is using the HTTP/2 protocol(field siteConfig.http20Enabled set to true).
• I also found a query on the Terraform Platform that verifies if the Azure App Service has the client certificate enabled called Azure App Service Client Certificate Disabled, which is analog to the query that I mentioned on the first point and also return's a vulnerability when the client certificate is enabled but does not recognize the http2_enabled field (if this field is set to true it should not return the vulnerability).

Proposed Changes

• In order to fix this bug, is added an extra verification on both policies (not is_using_http2_protocol) that verifies if the resource has the HTTP/2 protocol set on true.
• This is_using_http2_protocol auxiliar function that i created in order to do the verification, only checks, inside the properties of the resources, if they have a field called http20Enabled set to true and, if it that is the case it returns true.
• On the policies, if the auxiliar function that i described above, return's a false result (if does not have a http20Enabled field set to true), it produces a positive result.
• I also added two extra negative tests. The first one called negative3.bicep, has the field clientCertEnabled set to false which now, after the changes that i made should not return a vulnerability because it has also the http20Enabled field set to true.
• The other negative test, called negative4.bicep, also has the field http20Enabled set to true but, in this case, it does not have the property clientCertEnabled defined but, because is using the HTTP/2 protocol does not return a vulnerability.
• On the Azure App Service Client Certificate Disabled query I only added two extra verification's to both first two policies that, check's if the HTTP/2 protocol is enabled and other verification using the http2_defined_to_false helper function which is only used to verify if the http2_enabled field is defined and set to false, useful to return a different result on the keyExpectedValue and keyExpectedValue result fields when the fields client_cert_enabled and http2_enabled are both defined and set to true on the third new policy.
• I also added 2 negative tests on this last query, with the HTTP/2 protocol enabled and with the client_cert_enabled set to false and the other negative test is with the client_cert_enabled field not defined and the HTTP/2 protocol enabled.
• Added one extra positive text with the client_cert_enabled and http2_enabled field both defined and set to false.

I submit this contribution under the Apache-2.0 license.

[cx-eduardo-semanas]

LGTM

[cx-artur-ribeiro]

LGTM

[cx-eduardo-semanas]

LGTM