SONARPY-1419: FP on S6463 when using AWS from_security_group_id function (#1544)

Author: joke1196

python-checks/src/main/java/org/sonar/python/checks/cdk/UnrestrictedOutboundCommunicationsCheck.java

@@ -20,7 +20,12 @@
 package org.sonar.python.checks.cdk;
 
 import java.util.List;
+import java.util.Optional;
+
 import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.plugins.python.api.tree.CallExpression;
 
 import static org.sonar.python.checks.cdk.CdkPredicate.isTrue;
 import static org.sonar.python.checks.cdk.CdkUtils.getArgument;
@@ -31,13 +36,23 @@ public class UnrestrictedOutboundCommunicationsCheck extends AbstractCdkResource
   public static final String OMITTING_MESSAGE = "Omitting \"allow_all_outbound\" enables unrestricted outbound communications. Make sure it is safe here.";
   public static final String UNRESTRICTED_MESSAGE = "Make sure that allowing unrestricted outbound communications is safe here.";
 
+  private static final String SECURITY_GROUP_FQN = "aws_cdk.aws_ec2.SecurityGroup";
+
   @Override
   protected void registerFqnConsumer() {
-    checkFqns(List.of("aws_cdk.aws_ec2.SecurityGroup", "aws_cdk.aws_ec2.SecurityGroup.from_security_group_id"), (subscriptionContext, callExpression) ->
+    checkFqns(List.of(SECURITY_GROUP_FQN, "aws_cdk.aws_ec2.SecurityGroup.from_security_group_id"), (subscriptionContext, callExpression) ->
       getArgument(subscriptionContext, callExpression, "allow_all_outbound").ifPresentOrElse(
         argument -> argument.addIssueIf(isTrue(), UNRESTRICTED_MESSAGE),
-        () -> subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE)
+        () -> raiseIssue(subscriptionContext, callExpression) 
       )
     );
   }
+
+  private static void raiseIssue(SubscriptionContext subscriptionContext, CallExpression callExpression) {
+    Optional.ofNullable(callExpression.calleeSymbol())
+      .map(Symbol::fullyQualifiedName)
+      .filter(fqn -> fqn.equals(SECURITY_GROUP_FQN))
+      .ifPresent(s -> subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE));
+  }
+
 }

python-checks/src/test/resources/checks/cdk/unrestrictedOutboundCommunicationsCheck.py

@@ -21,8 +21,15 @@ def __init__(self, vpc):
             "sg-1234",
             allow_all_outbound=True  # NonCompliant{{Make sure that allowing unrestricted outbound communications is safe here.}}
         )
+ 
+        ec2.SecurityGroup.from_security_group_id(
+            self,
+            "SensitiveExplicit",
+            "sg-1234",
+            allow_all_outbound=False
+        )
 
-        ec2.SecurityGroup.from_security_group_id(  # NonCompliant{{Omitting "allow_all_outbound" enables unrestricted outbound communications. Make sure it is safe here.}}
+        ec2.SecurityGroup.from_security_group_id(  # Compliant ref: SONARPY-1159 and SONARPY-1419
             self,
             "SensitiveDefault",
             vpc=vpc