bug(query): security groups not used query with false positive if security group added in a list

[srouaix]

When a security group id added in a list , kics detect unused security group.

example of code sample.zip

module "fake" {
  source = "modules/fake"
  security_group_id = [aws_security_group.main.id]
}

this workaround doesn't trigger "security groups not used"

locals {
   security_group_id = aws_security_group.main.id
 }

module "fake" {
  source = "modules/fake"
  security_group_id = [local.security_group_id]
}

Expected Behavior

No detection of security group Not Used

Actual Behavior

logs.txt

Security Group Not Used, Severity: INFO, Results: 1
Description: Security group must be used or not declared
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24

        [1]: ../../path/main.tf:1

                001: resource "aws_security_group" "main" {
                002:   name        = "test"
                003:   description = "test"

Steps to Reproduce the Problem

1. docker run -t -v ./:/path checkmarx/kics scan -p /path

Specifications

(N/A if not applicable)

• Version: 2.1.1
• Platform: windows
• Subsystem: WSL ubuntu

[cx-monicac]

Hi @srouaix Thanks for your input!

We asked our internal AppSec team to provide you feedback on this. We will keep you updated. (APPSEC-2915)