xray_security_policy error plan fails if malicious_package and min_severity are used together in criteria

[tiviuray]

Describe the bug
Plan fails if malicious_package and min_severity are used together in version 2.11.1, but it works with 2.11.0

criteria {
      fix_version_dependant = true
      malicious_package     = false
      min_severity          = "Critical"
}

Plan output:

|  Error: Invalid Attribute Combination
│ 
│ Attribute
│ "rule[Value({\"actions\":[{\"block_download\":[{\"active\":false,\"unscanned\":false}],\"block_release_bundle_distribution\":<null>,\"block_release_bundle_promotion\":<null>,\"build_failure_grace_period_in_days\":0,\"create_ticket_enabled\":<null>,\"fail_build\":false,\"mails\":<null>,\"notify_deployer\":<null>,\"notify_watch_recipients\":<null>,\"webhooks\":<null>}],\"criteria\":[{\"applicable_cves_only\":<null>,\"cvss_range\":<null>,\"exposures\":<null>,\"fix_version_dependant\":true,\"malicious_package\":false,\"min_severity\":\"Critical\",\"package_name\":<null>,\"package_type\":<null>,\"package_versions\":<null>,\"vulnerability_ids\":<null>}],\"name\":\"Fail_critical_vulnerability\",\"priority\":2})].criteria[Value({\"applicable_cves_only\":<null>,\"cvss_range\":<null>,\"exposures\":<null>,\"fix_version_dependant\":true,\"malicious_package\":false,\"min_severity\":\"Critical\",\"package_name\":<null>,\"package_type\":<null>,\"package_versions\":<null>,\"vulnerability_ids\":<null>})].min_severity"
│ cannot be specified when
│ "rule[Value({\"actions\":[{\"block_download\":[{\"active\":false,\"unscanned\":false}],\"block_release_bundle_distribution\":<null>,\"block_release_bundle_promotion\":<null>,\"build_failure_grace_period_in_days\":0,\"create_ticket_enabled\":<null>,\"fail_build\":false,\"mails\":<null>,\"notify_deployer\":<null>,\"notify_watch_recipients\":<null>,\"webhooks\":<null>}],\"criteria\":[{\"applicable_cves_only\":<null>,\"cvss_range\":<null>,\"exposures\":<null>,\"fix_version_dependant\":true,\"malicious_package\":false,\"min_severity\":\"Critical\",\"package_name\":<null>,\"package_type\":<null>,\"package_versions\":<null>,\"vulnerability_ids\":<null>}],\"name\":\"Fail_critical_vulnerability\",\"priority\":2})].criteria[Value({\"applicable_cves_only\":<null>,\"cvss_range\":<null>,\"exposures\":<null>,\"fix_version_dependant\":true,\"malicious_package\":false,\"min_severity\":\"Critical\",\"package_name\":<null>,\"package_type\":<null>,\"package_versions\":<null>,\"vulnerability_ids\":<null>})].malicious_package"
│ is specified

Requirements for and issue

• A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue)
• Your version of Artifactory and Xray (you can curl Artifactory version at $host/artifactory/api/system/version and Xray version at
  $host/xray/api/v1/system/version

Artifactory: 7.90.10
Xray: 3.104.11

• Your version of terraform

Terraform: 1.9.4

Expected behavior
Plan is succeded
Additional context
Add any other context about the problem here.

[alexhung]

@tiviuray The error is correct. malicious_package attribute is for "Malicious Packages" rule type, which is separate from "CVEs" (the min_severity and fix_version_dependant attributes are for).

You can verify this in the Xray policy web UI, where you can select "Malicious Packages" or "CVEs" rule type.

[tiviuray]

I understand, thanks for the answer