[Bug]: Multiple false positives due to incorrect conversion of JSON rules into PowerShell expressions #171
Description
What happened?
A bug in the internal module responsible for converting JSON‑based rules into PowerShell where-like filter is generating incorrect logical expressions, and under certain conditions, the generated PowerShell queries do not reflect the original rule logic, which can lead to false positives.
I've seen that in rules that rely on multiple conditions or nested logical operators, and under certain conditions, may produce incorrect results in security scans.
How to reproduce it
Given the following JSON rule for Microsoft Fabric:
"query": [
{
"filter": [
{
"conditions": [
[
"settingName",
"eq",
"ShareLinkToEntireOrg"
]
]
}
]
},
{
"connectOperator": "and",
"filter": [
{
"conditions": [
[
"enabled",
"eq",
"True"
],
[
"enabledSecurityGroups.Count",
"eq",
"0"
]
],
"operator": "and"
}
]
}
]The internal module will generate the following where-like expression:
$_.settingName -eq 'ShareLinkToEntireOrg' -and ($_.enabled -eq $True -and $_.enabledSecurityGroups.Count -eq 0)So if for example an organization is restricting the shareable links only for a number of security groups, the above filter will produce a false positive.
enabledisTrueenabledSecurityGroups.Countis greater than0
This configuration is compliant, but the generated expression incorrectly requires the following:
enabledisTrueenabledSecurityGroups.Countis0
As a result, the rule produces a false positive, flagging a FAIL configuration that is actually valid and meets best practices.