I have been loving the scan function for update sets, but I'm concerned the "Access controls on Tables" check is not focused properly to provide good information. This has me considering ignoring the ACL findings on scan results, so I wanted to check and make sure I would be doing so on reasonable grounds. 

Here's the check script (San Diego, build date  06-08-2022_0838): 

(function (finding, current) {
	
    var g_acl = new GlideRecord('sys_security_acl');
		g_acl.addQuery('name','CONTAINS',current.name);
		g_acl.query();
		if(!g_acl.next()){
			finding.setCurrentSource(current);
			finding.increment();
		}

})(finding, current);

As I'm reading this, it is only looking for the name of the table being checked in an ACL list. For a table that has one or more ACL rules defined, for example, Incident, this is fine and that table will pass. For tables that inherit all of their ACL rules from a parent, for example, many CMDB tables, these will not pass this check. Am I missing something here? 

In addition, this seems like it will ignore false negatives as well because the query is simply using 'CONTAINS' instead of a more specifically defined search that would precisely match the table name in only the appropriate ACL rule names. for example, a search for a generically named table like 'hardware' could match a number of tables that have the word 'hardware' as a component. 

What do you think? I can see how this may be useful for newly developed tables with unique names that wouldn't be included, but right now it's pinging on the CMDB Computer, IP Switch and Network Gear tables (I believe because we added a field to them), but doesn't seem like a correct finding because all of these cmdb tables are inheriting table level ACL from parents with different names.