From 44f29a57247c5ecbc5c75dcb3d4e912c140e8c67 Mon Sep 17 00:00:00 2001
From: Omri SirComp <omribz156@gmail.com>
Date: Thu, 21 May 2026 16:14:45 +0300
Subject: [PATCH] fix(query): allow cloudformation db security group /24 cidrs

---
 .../aws/db_security_group_open_to_large_scope/query.rego    | 2 +-
 .../test/negative1.yaml                                     | 3 ++-
 .../test/negative2.yaml                                     | 6 ++++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego
index d55a5a8be71..b0457a6914e 100644
--- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego
+++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego
@@ -32,7 +32,7 @@ large_scope(ip_address, cidr) {
 	to_number(input_mask[1]) < 120		# should be 120-128
 } else {
 	input_mask := split(ip_address, "/")
-	to_number(input_mask[1]) < 25	# should be 25-32
+	to_number(input_mask[1]) < 24	# should be 24-32
 }
 
 exposed_inline_or_standalone_ingress(res, ing_index, type, resource_index) = results { # inline ingresses
diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative1.yaml b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative1.yaml
index 00c2cb8c103..d17885b6e3b 100644
--- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative1.yaml
+++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative1.yaml
@@ -13,10 +13,11 @@ Resources:
       GroupDescription: "Ingress for Amazon EC2 security group"
       SecurityGroupIngress:
         - CidrIp: 1.2.3.4/28
+        - CidrIp: 10.0.0.0/24
 
   DbSecurityByEC2SecurityGroup2:
     Type: AWS::EC2::SecurityGroup
     Properties:
       GroupDescription: "Ingress for Amazon EC2 security group"
       SecurityGroupIngress:
-        - CidrIpv6: 2001:db8:a::123/121
\ No newline at end of file
+        - CidrIpv6: 2001:db8:a::123/121
diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative2.yaml b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative2.yaml
index ce16480a8d1..55b11c6d573 100644
--- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative2.yaml
+++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative2.yaml
@@ -12,6 +12,12 @@ Resources:
       GroupId: !Ref DbSecurityByEC2SecurityGroup1
       CidrIp: 1.2.3.4/28
 
+  StandaloneIngressIPv4Max256Hosts:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !Ref DbSecurityByEC2SecurityGroup1
+      CidrIp: 10.0.0.0/24
+
   StandaloneIngressIPv6:
     Type: AWS::EC2::SecurityGroupIngress
     Properties: