From 1737770041f25c4e3df8f38d371036ae23a5befe Mon Sep 17 00:00:00 2001
From: EduardoSemanas <eduardo.semanas@checkmarx.com>
Date: Thu, 7 Mar 2024 15:27:58 +0000
Subject: [PATCH 1/2] New allow rule added to common/password_and_secrets to
 permit the ansible playbook's update_password field

---
 assets/queries/common/passwords_and_secrets/regex_rules.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 73b1eac90fd..ceb8473356b 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -12,6 +12,10 @@
         {
           "description": "Avoiding CF AllowUsersToChangePassword",
           "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+        },
+        {
+          "description": "Avoiding Ansible playbook update_password",
+          "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
         }
       ],
       "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"

From 31d29142a67c8cb0e5f35aba73b133c615a9937d Mon Sep 17 00:00:00 2001
From: EduardoSemanas <eduardo.semanas@checkmarx.com>
Date: Thu, 7 Mar 2024 16:37:05 +0000
Subject: [PATCH 2/2] Unit test added

---
 .../common/passwords_and_secrets/test/negative57.yml      | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 assets/queries/common/passwords_and_secrets/test/negative57.yml

diff --git a/assets/queries/common/passwords_and_secrets/test/negative57.yml b/assets/queries/common/passwords_and_secrets/test/negative57.yml
new file mode 100644
index 00000000000..7bd9c906de5
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative57.yml
@@ -0,0 +1,8 @@
+- name: "Configure the MySQL user "
+  community.mysql.mysql_user:
+    login_user: "root"
+    login_password: "{{ mysql_root_password }}"
+    name: "{{ mysql_user }}"
+    password: "{{ mysql_user_password }}"
+    password_expire: "never"
+    update_password: "on_create"