feat(query): implemented query Beta - Key Vault Purge Protection Is Enabled for terraform/azure and fixed remediation problems

[cx-ricardo-jesus]

Reason for Proposed Changes

• Currently, there is no query for Terraform/Azure that checks if the purge protection is enabled for an Azure Key Vault.
• Quoting CIS_Microsoft_Azure_Foundations_Benchmark_v5.0.0: "`Key vaults contain object keys, secrets, and certificates. Deletion of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended that the key vault be made recoverable by enabling the "purge protection" function.
• Currently, when running the remediate KICS command, an error occurs due to the variable ActualRemediationDoneNumber not being incremented for Beta queries(with the flag experimental set to true).

Proposed Changes

• Implemented the query that returns a positive result when the field purge_protection_enabled is not defined or not set to true.
• Regarding the metadata information, I took inspiration from a similar query implemented for the AzureResourceManager platform, which covers an analogous resource for AzureResourceManager, and also checks for the soft delete part.
• Taking into account the information stated on the previous point, I think the most appropriate CWE is 530 and set the severity to High, taking into account that the similar query mentioned above, also has a HIGH severity.
• Regarding the remediation fix, basically, changed the Query struct on the remediation.go, to also store a boolean variable called experimental, which is extracted from the results file.
• Also, added the boolean Experimental variable on the Remediation structure.
• Basically, now, the remediationSet, which stores a set of Remediation structs, will also store the Experimental bool, which will be true or false, taking into account the value present on the experimental field on the results file.
• After these changes, the Beta queries will be capable of running the remediations, but, as expected, will not present any result.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-artur-ribeiro]

Insane job fixing the remediation for experimental queries!
The new query also looks well done, nothing to point out.