v2.1.17

What's Changed

• feat(query): implements "Beta - SQL DB Instance With Unrecommended Logging Threshold" by @cx-andre-pereira in #7782
• feat(query): implements "Beta - SQL DB Instance With Unrecommended Error Logging Threshold" by @cx-andre-pereira in #7783
• build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] in #7867
• fix(vulnerabilities): update dockerfile images to the latest version by @cx-artur-ribeiro in #7873
• feat(query): new query "Beta - Databricks Workspace Using Default Virtual Network" - Terraform/azure by @cx-andre-pereira in #7767
• fix(engine): update yaml parsing to support a wider variety of integer representations by @cx-eduardo-semanas in #7875
• fix(vulnerabilities): update helm to v3.19.2 and buildkit to v0.26.2 by @cx-rui-araujo in #7882
• docs(queries): update queries catalog by @kicsbot in #7865
• docs(kicsbot): preparing for release 2.1.17 by @kicsbot in #7889

Full Changelog: v2.1.16...v2.1.17

v2.1.16

What's Changed

• feat(query): implements "Beta - Google DNS Policy Logging Disabled" by @cx-andre-pereira in #7773
• docs(missingfields): add cwe and risk score to results documentation page by @cx-artur-ribeiro in #7796
• fix(queries): fixed fp for sns topic is publicly accesible query for Terraform/AWS, Ansible/AWS and CloudFormation/aws by @cx-ricardo-jesus in #7758
• fix(vulnerabilities): update dockerfile images to fix trivy vulnerabilities by @cx-artur-ribeiro in #7803
• feat(query): implements "Beta - SQL DB Instance With Exposed Show Privileges" by @cx-andre-pereira in #7776
• feat(query): implements "Beta - SQL DB Instance With Local Data Loading Enabled" by @cx-andre-pereira in #7777
• fix(query): added support for database resources to 2 queries - terraform/azure by @cx-andre-pereira in #7746
• fix(query): added cases for Azure App Service resources: azurerm_linux_web_app and azurerm_windows_web_app (Issue #7719) by @tplisson in #7722
• fix(transition): experimental queries get NonGraceffulyTransition transition type by @cx-ricardo-jesus in #7809
• fix(cfquery): remove usage of rego built in walk function by @cx-artur-ribeiro in #7823
• feat(query): implements "Beta - SQL DB Instance Without Connections Logging" by @cx-andre-pereira in #7779
• feat(query): implements "Beta - SQL DB Instance Without Disconnections Logging" by @cx-andre-pereira in #7780
• feat(query): implements "Beta - SQL DB Instance With Minimum Log Duration" by @cx-andre-pereira in #7784
• feat(query): implements "Beta - SQL DB Instance Without Centralized Logging" by @cx-andre-pereira in #7785
• feat(query): implements "Beta - SQL DB Instance With External Scripts Enabled" by @cx-andre-pereira in #7786
• fix(yaml): prevent panic when parsing recursive anchors or aliases by @cx-artur-ribeiro in #7816
• feat(query): implements "Beta - SQL DB Instance With Ownership Chaining Enabled" by @cx-andre-pereira in #7787
• feat(query): implements "Beta - SQL DB Instance With Limited User Connections" by @cx-andre-pereira in #7788
• feat(query): implements "Beta - SQL DB Instance With Global User Options" by @cx-andre-pereira in #7789
• feat(query): implements "Beta - SQL DB Instance With Remote Access Enabled" by @cx-andre-pereira in #7790
• feat(query): implements "Beta - SQL DB Instance With Exposed Trace Logs" by @cx-andre-pereira in #7791
• feat(query): implements "Beta - SQL DB Instance With Contained Database Authentication" by @cx-andre-pereira in #7792
• fix(analyzer): handle encoded files extracted from zip archives on windows by @cx-artur-ribeiro in #7820
• fix(vulnerabilities): remove containerd from direct import by @cx-rui-araujo in #7839
• docs(contribution): added extra information on the contributing page from the KICS documentation by @cx-ricardo-jesus in #7749
• fix(query): support for array's and some minor fixes by @cx-andre-pereira in #7844
• fix(vulnerabilities): update crypto from v0.41.0 to v0.43.0 to fix vulnerabilities by @cx-artur-ribeiro in #7853
• fix(vulnerabilities): update buildkit pkg from v0.22.0 to v0.26.0 by @cx-rui-araujo in #7854
• build(images): update base images by @cx-miguel-silva in #7857
• docs(queries): update queries catalog by @kicsbot in #7799
• docs(kicsbot): preparing for release 2.1.16 by @kicsbot in #7860

New Contributors

• @tplisson made their first contribution in #7722

Full Changelog: v2.1.15...v2.1.16

v2.1.15

What's Changed

• fix(ghaction): update update-docs-release.yaml by @cx-bruno-silva in #7736
• fix(ghaction): update update-docs-release.yaml by @cx-bruno-silva in #7737
• fix(query): added two new allowRules on "Generic Secret" and "Generic Token" queries from Passwords and Secrets by @cx-ricardo-jesus in #7698
• fix(query): fixed allowRule's on Generic Token and Generic Secret from Passwords and Secrets query by @cx-ricardo-jesus in #7739
• fix(query): passwords and secrets fp for run after triggers by @cx-andre-pereira in #7713
• fix(query): added support for azurerm_mssql_firewall_rule resources to 2 queries - terraform/azure by @cx-andre-pereira in #7716
• fix(query): fn for API Gateway With CloudWatch Logging Disabled - terraform/aws by @cx-andre-pereira in #7694
• fix(query): fp for operation without successful http status code when valid codes are present by @cx-artur-ribeiro in #7604
• fix(vuln): update gogetter to version 1.8.1 by @cx-artur-ribeiro in #7743
• fix(vulnerabilities): update dockerfile images to fix vulnerabilities by @cx-artur-ribeiro in #7757
• fix(queries): update queries severities by @cx-artur-ribeiro in #7733
• fix(query): support for new app_service resources - terraform/azure by @cx-andre-pereira in #7742
• fix(queries): add missing transitions & improve query flow by @cx-miguel-silva in #7759
• feat(riskscore): add risk score to all queries by @cx-artur-ribeiro in #7728
• fix(makefile): update CONSTANTS_PATH in Makefile for v2 by @zackchadwick in #7764
• fix(riskscore): add risk score to query-page-generator, query page template and extract info by @cx-artur-ribeiro in #7766
• fix(query): adding missing function_app resources to terraform/azure queries by @cx-andre-pereira in #7744
• fix(typeflag): fix bicep wrong behavior with type and excludeType flags by @cx-artur-ribeiro in #7765
• feat(log): add results and queries summaries to log by @cx-laura-rodrigues in #7606
• fix(queries): BETA queries naming removed for Tencent Cloud & Databricks by @cx-miguel-silva in #7771
• test(query): improved testing for Azure App Service Client Certificate Disabled query by @cx-andre-pereira in #7768
• fix(query): fix beta naming in similarityID transition docs by @cx-miguel-silva in #7774
• fix(query): added missing support for "aws_launch_template" resource to "Instance Uses Metadata Service IMDSv1" by @cx-andre-pereira in #7778
• docs(queries): update queries catalog by @kicsbot in #7738
• docs(kicsbot): preparing for release 2.1.15 by @kicsbot in #7795

New Contributors

• @cx-bruno-silva made their first contribution in #7736
• @zackchadwick made their first contribution in #7764
• @cx-laura-rodrigues made their first contribution in #7606

Full Changelog: v2.1.14...v2.1.15

v2.1.14

What's Changed

• fix(query): fixed false negative for "App Service Authentication Disabled" query missing resources by @cx-ricardo-jesus in #7591
• fix(query): fn for security_group_with_unrestricted_access_to_ssh - terraform/aws by @cx-andre-pereira in #7568
• fix(bicep): remove references to Bicep as a platform by @cx-artur-ribeiro in #7637
• fix(query): fixed FN for the missing resources on "App Service HTTP2 Disabled" query by @cx-ricardo-jesus in #7592
• feat(query): added new query: ElasticSearch Without Audit Logs - cloudFormation/aws by @cx-andre-pereira in #7565
• test(query): added extra tests to "Security Group Not Used" query for terraform/aws by @cx-ricardo-jesus in #7641
• test(query): new test for cloudwatch metrics disabled by @cx-andre-pereira in #7640
• feat(query): implements "iam policy allows for data exfiltration" - terraform/aws & cloudformation/aws by @cx-andre-pereira in #7631
• fix(query): fp for Media Type Object Without Schema -- OpenAPI/3.0 by @cx-andre-pereira in #7621
• feat(query): implements ecr_repository_not_encrypted_with_CMK for cloudformation by @cx-andre-pereira in #7633
• feat(query): implements Redshift_Cluster_Without_VPC--cloudformation/aws by @cx-andre-pereira in #7617
• feat(query): new query - "EKS Cluster Encryption Disabled" query implemented for CloudFormation platform by @cx-ricardo-jesus in #7616
• feat(query): lambda function without dead letter queue query implemented for Terraform/aws by @cx-ricardo-jesus in #7620
• fix(query): fn for S3 Bucket Allows Public Policy by @cx-ricardo-jesus in #7603
• feat(queries): new queries ECS Services assigned with public IP address for Ansible/aws, Terraform/aws and CloudFormation/AWS by @cx-ricardo-jesus in #7619
• feat(queries): new queries "Instance Uses Metadata Service IMDSv1" for Terraform/aws, Ansible/aws and CloudFormation/AWS by @cx-ricardo-jesus in #7624
• feat(query): elasticsearch domain encryption should be enabled node to node query implementation for CloudFormation/AWS by @cx-ricardo-jesus in #7627
• fix(query): web app not using TLS last version query requires minimum TLS version 1.3 by @cx-ricardo-jesus in #7628
• fix(githubaction): adds git pull to docs release action by @cx-monica-casanova in #7650
• feat(query): implementation of DAX_Cluster_Not_Encrypted for CloudFormation/aws by @cx-andre-pereira in #7599
• fix(query): fn for Trusted Microsoft Services Not Enabled - ARM by @cx-andre-pereira in #7587
• fix(query): fn for SQL Server Database With Alerts Disabled - ARM - terraform/azure by @cx-andre-pereira in #7584
• feat(query): implements "aws eip not attached to any ec2 instance" for terraform/aws by @cx-andre-pereira in #7596
• fix(query): fn for IAM_Policies_With_Full_Privileges -- terraform/aws by @cx-andre-pereira in #7601
• feat(query): new query - S3_Bucket_Notifications_Disabled for terraform/aws by @cx-andre-pereira in #7602
• fix(query): fp for Storage Share File Allows All ACL Permissions by @cx-andre-pereira in #7612
• feat(query): implements Neptune_Logging_Is_Disabled--cloudformation/aws by @cx-andre-pereira in #7614
• feat(test): add support for folder-based query test cases by @cx-romeu-silva in #7647
• fix(query): fp for passwords and secrets generic password by @cx-andre-pereira in #7625
• fix(docs): exclude folder-based query test cases from the query documentation by @cx-romeu-silva in #7657
• feat(query): implements ELBv2_LB_Access_Log_Disabled--terraform/aws by @cx-andre-pereira in #7594
• fix(vuln): update go-getter to fix vulnerability by @cx-artur-ribeiro in #7659
• fix(query): fn for passwords and secrets json files by @cx-andre-pereira in #7632
• feat(queries): tags not copied to rds cluster snapshot query implementation for terraform/aws and CloudFormation/aws by @cx-ricardo-jesus in #7655
• feat(query): implements Postgres_RDS_Logging_Disabled--terraform/aws by @cx-andre-pereira in #7615
• fix(queries): launch configuration is not encrypted resources missing support by @cx-ricardo-jesus in #7649
• fix(query): fp for passwords and secrets - generic secret by @cx-ricardo-jesus in #7656
• fix(query): fixed query "s3 bucket with public policy" by @cx-ricardo-jesus in #7661
• feat(query): new "ElasticSearch Without Es Application Logs" query to replace old logs query--cloudformation/aws by @cx-andre-pereira in #7645
• test(query): add missing test case for S3 Bucket Allows Public Policy by @cx-romeu-silva in #7664
• feat(query): new query - Secretmanager Secret Without KMS for CloudFormation/aws by @cx-ricardo-jesus in #7607
• test(query): new tests for Redshift Cluster Without VPC by @cx-andre-pereira in #7665
• test(query): fixed negative tests for "Storage Share File Allows All ACL Permissions" - terraform/azure by @cx-andre-pereira in #7660
• fix(mapstructure): update mapstructure from version 2.3.0 to 2.4.0 to fix vulnerabilities by @cx-artur-ribeiro in #7671
• fix(query): fixed fn for "SQL Server Database With Unrecommended Retention Days" query by @cx-ricardo-jesus in #7670
• feat(queries): query IAM DB Cluster Auth Not Enabled implemented for terraform/aws and cloudFormation/aws by @cx-ricardo-jesus in #7667
• test(query): missing tests for s3_bucket_notifications_disabled by @cx-andre-pereira in #7672
• fix(query): fn for EFS volume with disabled transit encryption--cloudformation/aws by @cx-andre-pereira in #7586
• test(query): tests and typo fix for ELBv2_LB_Access_Log_Disabled--terraform/aws by @cx-andre-pereira in #7674
• fix(query): media type object without schema -- OpenAPI 3.0 by @cx-andre-pereira in #7668
• fix(query): added module support for "iam_db_cluster_auth_not_enabled" query by @cx-ricardo-jesus in #7675
• fix(test): changed iam_database_authentication_field value from true to false on the sample negative5.tf by @cx-ricardo-jesus in #7677
• fix(query): added support for a new case in "elasticsearch domain not encrypted" query by @cx-ricardo-jesus in #7680
• test(query): mini fix for negative7 test on query elastic_search_without_audit_logs - coudformation/aws by @cx-andre-pereira in #7689
• fix(query): used isCloudFormationTrue helper function on elasticsearch domain not encrypted node to node by @cx-ricardo-jesus in #7695
• test(query): two missing tests for postgres rds logging disabled -- terraform/aws by @cx-andre-pereira in #7685
• test(query): added two more samples to "App Service HTTP2 Disabled" query by @cx-ricardo-jesus in #7681
• fix(queries): added samples and searchLines on ecs services assigned with public ip address query for Terraform, Ansible and CloudFormation by @cx-ricardo-jesus in #7693
• fix(query): fixed query block device is not encrypted to support changes on the last version of the modules by @cx-ricardo-jesus in #7686
• fix(query): fixed searchLine and added new test case for web app not using tls last version query for azureResourceManager by @cx-ricardo-jesus in #7690
• fix(query): added suport for modules and more test samples for tags not copied to rds cluster snapshot query for terraform by @cx-ricardo-jesus in #7691
• fix(query): trusted microsoft services not enabled and new tests - ARM by @cx-andre-pereira in #7703
• test(query): new tests and minor fixes for IAM_Policies_With_Full_Privileges -- terraform/aws by @cx-andre-pereira in #7702
• fix(query): removed unnecessary else on get_children helper function from sql server database with unrecommended retention days query by @cx-ricardo-jesus in #7705
• update(query): update description text for dockerfi...

v2.1.13

What's Changed

• fix(query): fixed false positive for website with client certificate auth disabled and azure app service client certificate disabled by @cx-ricardo-jesus in #7537
• fix(apkmissing): add alpine image build and dockerfile related file by @cx-artur-ribeiro in #7581
• fix(query): fix fp for s3_bucket_access_to_any_principal by @cx-andre-pereira in #7564
• fix(query): fix fp in password and secrets Generic Token by @cx-andre-pereira in #7555
• fix(query): added one extra verification on the ECS Cluster Not Encrypted At Rest query by @cx-ricardo-jesus in #7563
• fix(unmarshaller): panic while unmarshalling yaml foot comments edge cases by @cx-eduardo-semanas in #7613
• fix(query): fp for security_groups_not_used - terraform/aws by @cx-andre-pereira in #7566
• fix(query): added one more allow rule on Generic Password query to allow passwords retrieved from ARM parameters by @cx-ricardo-jesus in #7569
• fix(query): fn for SQL Server Database Without Auditing - ARM by @cx-andre-pereira in #7590
• fix(query): fn for Cloudformation queries - complete boolean logic update by @cx-andre-pereira in #7585
• fix(query): small fixes on the query "Azure App Service Client Certificate Disabled" for Terraform by @cx-ricardo-jesus in #7634
• fix(query): fixed cases not supported on "ecs cluster not encrypted at rest query" query by @cx-ricardo-jesus in #7638
• fix(ubi): update ubi dockerfile go version to 1.24.6 by @cx-artur-ribeiro in #7639
• docs(queries): update queries catalog by @kicsbot in #7605
• docs(kicsbot): preparing for release 2.1.13 by @kicsbot in #7643

New Contributors

• @cx-ricardo-jesus made their first contribution in #7537

Full Changelog: v2.1.12...v2.1.13

v2.1.12

What's Changed

• ci(deps): bump the all group across 1 directory with 7 updates by @dependabot[bot] in #7505
• build(deps): bump helm.sh/helm/v3 from 3.18.2 to 3.18.4 by @dependabot[bot] in #7528
• fix(parser): add type assertion verification to certificate elements process by @cx-artur-ribeiro in #7526
• fix(dockerfile): update debian dockerfile image with stable-slim version by @cx-artur-ribeiro in #7540
• fix(query): fix fn for s3_bucket_without_restriction_of_public_bucket by @cx-romeu-silva in #7506
• fix(query): fix fp for web app not using tls last version by @cx-andre-pereira in #7556
• fix(query): fix fp for api_gateway_method_does_not_contains_an_api_key by @cx-andre-pereira in #7557
• fix(symlink): add return statements for early exit in checkSymLink by @cx-artur-ribeiro in #7532
• fix(query): fix fp for image_version_not_explicit by @cx-andre-pereira in #7561
• fix(query): fix fn for cloudTrail_multi_region_disabled by @cx-andre-pereira in #7558
• fix(query): fix fn for ssh_is_exposed_to_the_internet and rdp_is_exposed_to_the_internet by @cx-andre-pereira in #7560
• fix(query): fix fp for s3_bucket_logging_disabled by @cx-andre-pereira in #7559
• fix(progressbar): fix flaky TestCounter_Start unit test by @cx-artur-ribeiro in #7573
• fix(vulnerabilities): update go version to fix grype vulnerabilities by @cx-artur-ribeiro in #7589
• docs(queries): update queries catalog by @kicsbot in #7553
• docs(kicsbot): preparing for release 2.1.12 by @kicsbot in #7593

New Contributors

• @cx-andre-pereira made their first contribution in #7556

Full Changelog: v2.1.11...v2.1.12

v2.1.11

What's Changed

• docs(kicsbot): preparing for release 2.1.10 by @kicsbot in #7486
• update(deps): fix vulnerabilities and upgrade to GOv1.24.4 by @cx-rui-araujo in #7493
• fix(query): fix fp for missing_flag_from_dnf_install by @cx-romeu-silva in #7497
• fix(query): support deprecated enable_https_traffic_only and https_traffic_only_enabled fields by @cx-artur-ribeiro in #7461
• docs(platforms): add documentation to Analyzer Blacklist for Unsupported File Types by @cx-artur-ribeiro in #7509
• fix(query): improving Volume Mount With OS Directory Write Permissions k8s query by @cx-artur-ribeiro in #7508
• fix(query): fix fp for ecs_cluster_not_encrypted_at_rest by @cx-romeu-silva in #7510
• fix(query): fix fn in password and secrets Dockerfile ENV variable cases by @cx-eduardo-semanas in #7503
• fix(query): fix fp for mssql_server_auditing_disabled by @cx-romeu-silva in #7492
• fix(query): fix fp for iam_group_without_users by @cx-romeu-silva in #7502
• fix(query): fix fn for iam_policy_grants_full_permissions by @cx-romeu-silva in #7500
• fix(query): fix fp in password and secrets Generic Passwords by @cx-romeu-silva in #7512
• fix(query): fix fp in password and secrets Generic Private Key by @cx-romeu-silva in #7514
• docs(queries): update queries catalog by @kicsbot in #7507
• docs(kicsbot): preparing for release 2.1.11 by @kicsbot in #7520

New Contributors

• @cx-romeu-silva made their first contribution in #7497

Full Changelog: v2.1.10...v2.1.11

v2.1.10

What's Changed

• fix(engine): fix line counter for JSON Minified files by @cx-rui-araujo in #7473
• fix(analyzer): exclude azure-pipelines-vscode schema JSON file by @cx-rui-araujo in #7482
• update(deps): update helm to v3.18.2 and buildkit to v0.22.0 by @cx-rui-araujo in #7484

Full Changelog: v2.1.9...v2.1.10

v2.1.9

What's Changed

• fix(perms): revert permissions change to fix results export error by @cx-artur-ribeiro in #7477
• fix(perms): revert file permission changes on reports by @cx-artur-ribeiro in #7479
• feat(analyzer): add a blacklist to the Analyzer to exclude FHIR files by @cx-artur-ribeiro in #7470
• fix(query): fix fn for S3_Bucket_Allows_Public_Policy query by @cx-artur-ribeiro in #7456
• docs(queries): update queries catalog by @kicsbot in #7480
• docs(kicsbot): preparing for release 2.1.9 by @kicsbot in #7481

Full Changelog: v2.1.8...v2.1.9

v2.1.8

What's Changed

• ci(deps): bump the all group across 1 directory with 2 updates by @dependabot in #7446
• fix(queries): support all valid CloudWatch Logs retention periods by @jamesbascle in #7450
• ci(deps): bump the all group across 1 directory with 2 updates by @dependabot in #7453
• docs(queries): update universal JSON creation to docker command by @dmeiser in #7454
• update(deps): update OPA package to version 1.4.2 by @cx-rui-araujo in #7460
• fix(query): fn for s3_bucket_allows_delete_action_from_all_principals query by @cx-artur-ribeiro in #7455
• ci(deps): bump securego/gosec from 2.22.3 to 2.22.4 in the all group by @dependabot in #7463
• feat(resolver): kubernetes circular dependency is causing resource exhaustion by @cx-miguel-silva in #7421
• fix(lint): update lint version by @cx-artur-ribeiro in #7445
• docs(queries): update queries catalog by @kicsbot in #7462
• docs(kicsbot): preparing for release 2.1.8 by @kicsbot in #7471

New Contributors

• @jamesbascle made their first contribution in #7450
• @dmeiser made their first contribution in #7454

As part of PR #7423, we significantly optimized the OpenAPI payload generation by resolving a direct circular dependency that previously caused excessive and redundant schema expansion (due to direct references between openAPI files).

This fix has substantially reduced the size of OpenAPI payloads (.yaml or .json files), which in turn may have decreased the number of results produced by KICS OpenAPI queries.

Full Changelog: v2.1.7...v2.1.8