bug(scan): ansible false positive (in mysql_user at update_password)

[timo-fc]

During a scan of Ansible playbooks there is a false positive detection for a password.

Expected Behavior

Configuration parameter are not interpreted as password.

Actual Behavior

Checking a playbook containing the mysql_user module where the update_password parameter is set, results in a false positive.

https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html

Passwords And Secrets - Generic Password, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/common/487f4be7-3fd9-4506-a07a-eae252180c08

        [1]: ../../path/tasks/main.yml:9

                008:     password_expire: "never"
                009:     update_password: <SECRET-MASKED-ON-PURPOSE>
                010: 

Steps to Reproduce the Problem

Scan playbook containing the following:

- name: "Configure the MySQL user "
  community.mysql.mysql_user:
    login_user: "root"
    login_password: "{{ mysql_root_password }}"
    name: "{{ mysql_user }}"
    password: "{{ mysql_user_password }}"
    password_expire: "never"
    update_password: "on_create"

Specifications

• Version: v1.7.13 (docker)
• Platform: Linux
• Subsystem: Ansible