Merge pull request #6857 from Checkmarx/critical_add

feat(critical): add critical severity to KICS CLI
Checkmarx · Mar 15, 2024 · 17375d2 · 17375d2
2 parents cef63ba + 362cd64
commit 17375d2
Show file tree

Hide file tree

Showing 105 changed files with 2,483 additions and 268 deletions.
diff --git a/.github/scripts/server-mock/package-lock.json b/.github/scripts/server-mock/package-lock.json
diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json
@@ -9,4 +9,4 @@
   "descriptionID": "3a7576e5",
   "cloudProvider": "aws",
   "cwe": ""
-}
+}
diff --git a/docs/BADGE.md b/docs/BADGE.md
@@ -19,6 +19,7 @@ For this example, let's assume HIGH and MEDIUM results are bad:
 
 ```bash
 #!/usr/bin/env bash
+CRITICAL=$(jq '.severity_counters.CRITICAL' results.json)
 HIGH=$(jq '.severity_counters.HIGH' results.json)
 MEDIUM=$(jq '.severity_counters.MEDIUM' results.json)
 LOW=$(jq '.severity_counters.LOW' results.json)

diff --git a/docs/changes.md b/docs/changes.md
@@ -13,7 +13,7 @@
 | ----------- | ------------------------------------------------------------------------------ |
 | `timeout`   | number of seconds the query has to execute before being canceled (default 60)  |
 | `profiling` | enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM) |
-| `fail-on`   | which kind of results should return an exit code different from 0 accepts: high, medium, low and info example: "high,low" (default [high,medium,low,info]) |
+| `fail-on`   | which kind of results should return an exit code different from 0 accepts: critical, high, medium, low and info example: "high,low" (default [critical,high,medium,low,info]) |
 | `ignore-on-exit` | defines which kind of non-zero exits code should be ignored accepts: all, results, errors, none example: if 'results' is set, only engine errors will make KICS exit code different|
 
 ## Updated Flags

diff --git a/docs/commands.md b/docs/commands.md
@@ -40,6 +40,7 @@ Use "kics [command] --help" for more information about a command.
 |-m, --bom                           |include bill of materials (BoM) in results output|
 |      --cloud-provider strings      |  list of cloud providers to scan (alicloud, aws, azure, gcp, nifcloud, tencentcloud)|
 |      --config string               |  path to configuration file|
+|      --new-severities              |  use new severities in query results |
 |      --disable-full-descriptions   |  disable request for full descriptions and use default vulnerability descriptions|
 |      --disable-secrets             |  disable secrets scanning|
 |      --enable-openapi-refs         |  resolve the file reference, on OpenAPI files (default [false])|
@@ -48,9 +49,9 @@ Use "kics [command] --help" for more information about a command.
 |  -e, --exclude-paths strings       |  exclude paths from scan<br>supports glob and can be provided multiple times or as a quoted comma separated string<br>example: './shouldNotScan/*,somefile.txt'|
 |      --exclude-queries strings     |  exclude queries by providing the query ID<br>cannot be provided with query inclusion flags<br>can be provided multiple times or as a comma separated string<br>example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db'|
 |  -x, --exclude-results strings     |  exclude results by providing the similarity ID of a result<br>can be provided multiple times or as a comma separated string<br>example: 'fec62a97d569662093dbb9739360942f...,31263s5696620s93dbb973d9360942fc2a...'|
-|      --exclude-severities strings  |  exclude results by providing the severity of a result<br>can be provided multiple times or as a comma separated string<br>example: 'info,low'<br>possible values: 'high, medium, low, info, trace'|
+|      --exclude-severities strings  |  exclude results by providing the severity of a result<br>can be provided multiple times or as a comma separated string<br>example: 'info,low'<br>possible values: 'critical, high, medium, low, info, trace'|
 |      --experimental-queries        |  include experimental queries (queries not yet thoroughly reviewed) (default [false])|
-|      --fail-on strings             |  which kind of results should return an exit code different from 0<br>accepts: high, medium, low and info<br>example: "high,low" (default [high,medium,low,info])|
+|      --fail-on strings             |  which kind of results should return an exit code different from 0<br>accepts: critical, high, medium, low and info<br>example: "high,low" (default [critical,high,medium,low,info])|
 |  -h, --help                        |  help for scan|
 |      --ignore-on-exit string       |  defines which kind of non-zero exits code should be ignored<br>accepts: all, results, errors, none<br>example: if 'results' is set, only engine errors will make KICS exit code different from 0 (default "none")|
 |  -i, --include-queries strings     |  include queries by providing the query ID<br>cannot be provided with query exclusion flags<br>can be provided multiple times or as a comma separated string<br>example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db'|

diff --git a/docs/creating-queries.md b/docs/creating-queries.md
@@ -225,7 +225,7 @@ go run ./cmd/console/main.go generate-id
 ```
 
 - `queryName` describes the name of the vulnerability
-- `severity` can be filled with `HIGH`, `MEDIUM`, `LOW` or `INFO`
+- `severity` can be filled with `CRITICAL`, `HIGH`, `MEDIUM`, `LOW` or `INFO`
 - `category` pick one of the following:
     - Access Control
     - Availability

diff --git a/docs/dockerhub.md b/docs/dockerhub.md
@@ -84,6 +84,7 @@ Flags:
   -m, --bom                           include bill of materials (BoM) in results output
       --cloud-provider strings        list of cloud providers to scan (alicloud, aws, azure, gcp)
       --config string                 path to configuration file
+      --new-severities                use new severities in query results
       --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions
       --disable-secrets               disable secrets scanning
       --enable-openapi-refs           resolve the file reference, on OpenAPI files (default [false]) 
@@ -107,8 +108,8 @@ Flags:
                                       example: 'info,low'
       --experimental-queries          include experimental queries (queries not yet thoroughly reviewed) (default [false])
       --fail-on strings               which kind of results should return an exit code different from 0
-                                      accepts: high, medium, low and info
-                                      example: "high,low" (default [high,medium,low,info])
+                                      accepts: critical, high, medium, low and info
+                                      example: "high,low" (default [critical,high,medium,low,info])
   -h, --help                          help for scan
       --ignore-on-exit string         defines which kind of non-zero exits code should be ignored
                                       accepts: all, results, errors, none

diff --git a/docs/getting-started.md b/docs/getting-started.md
@@ -9,4 +9,4 @@ docker run -t -v {path_to_host_folder}:/path checkmarx/kics:latest scan -p /path
 ```
 
 ## Scan Example
-[![](https://user-images.githubusercontent.com/111127232/206156696-283f9d43-1ff1-4cf4-8fa6-6bf37a282360.gif)](https://user-images.githubusercontent.com/111127232/206156696-283f9d43-1ff1-4cf4-8fa6-6bf37a282360.gif)
+[![](https://raw.githubusercontent.com/Checkmarx/kics/23c62655308523e1bf6aa8ae5852848deb263651/docs/img/faster.gif)](https://raw.githubusercontent.com/Checkmarx/kics/23c62655308523e1bf6aa8ae5852848deb263651/docs/img/faster.gif)
diff --git a/docs/img/circleci-results.png b/docs/img/circleci-results.png
diff --git a/docs/img/faster.gif b/docs/img/faster.gif
diff --git a/docs/img/html_report.png b/docs/img/html_report.png
diff --git a/docs/img/kics_gitlab_pipeline_artifact.png b/docs/img/kics_gitlab_pipeline_artifact.png
diff --git a/docs/img/kics_gitlab_pipeline_failure.png b/docs/img/kics_gitlab_pipeline_failure.png
diff --git a/docs/img/kics_gitlab_pipeline_success.png b/docs/img/kics_gitlab_pipeline_success.png
diff --git a/docs/img/pdf-report.png b/docs/img/pdf-report.png
diff --git a/docs/img/pdf_report.png b/docs/img/pdf_report.png
diff --git a/docs/integrations_auto_scanning_visual_studio.md b/docs/integrations_auto_scanning_visual_studio.md
@@ -67,15 +67,17 @@ Example of results summary:
 ```hcl
 1: CxINFO - 2:04:47 PM]Results summary:
 2:                     Total Results": 141,
-3:                     "HIGH": 10,
-4:                     "INFO": 4,
-5:                     "LOW": 62,
-6:                     "MEDIUM": 65
+3:                     "CRITICAL": 0,
+4:                     "HIGH": 10,
+5:                     "INFO": 4,
+6:                     "LOW": 62,
+7:                     "MEDIUM": 65
 ```
 
 ## Viewing KICS Vulnerability Details
 Detailed information about the vulnerabilities that were detected is shown in the file editor window. The vulnerable code is highlighted according the severity level of the vulnerability, as follows:
 
+- Critical - pure red
 - High - red
 - Medium - orange
 - Info - green

diff --git a/docs/integrations_circleci.md b/docs/integrations_circleci.md
@@ -44,4 +44,4 @@ Go to the artifacts tab to inspect the results:
 
 Results will be displayed in plain text:
 
-<img src="https://raw.githubusercontent.com/Checkmarx/kics/master/docs/img/circleci-results.png" width="850">
+<img src="https://raw.githubusercontent.com/Checkmarx/kics/0f82e84ccbab376b4606efe5a85432d5b37ecb19/docs/img/circleci-results.png" width="850">
diff --git a/docs/integrations_codefresh.md b/docs/integrations_codefresh.md
@@ -13,7 +13,7 @@ You can find the KICS Codefresh step [here](https://github.com/Checkmarx/kics-co
 | ------------------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | --------------------------------------------- |
 | PROJECT_PATH                     | terraform/main.tf,Dockerfile            | paths to a file or directories to scan, comma separated list                                                                                                | string  | Yes      | N/A                                           |
 | IGNORE\_ON\_EXIT                | results                                                                                 | defines which kind of non-zero exits code should be ignored (all, results, errors, none)                                                                                                                 | string               | No                    | N/A                  |
-| FAIL_ON                     | high,medium                                                                     | which kind of results should return an exit code different from 0                                                                                                                                        | string               | No                    | high,medium,low,info                  |
+| FAIL_ON                     | high,medium                                                                     | which kind of results should return an exit code different from 0                                                                                                                                        | string               | No                    | critical,high,medium,low,info                  |
 | TIME_OUT                                 | 75                                                                          | number of seconds the query has to execute before being canceled                                                                                                                                         | string               | No                    | 60                  |
 | PROFILING                                 | CPU                                                                       | enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)                                                                                  | string               | No                     | N/A                  |
 | TYPES                           | Ansible,Terraform                                                            | case insensitive list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Docker Compose, GRPC, GoogleDeploymentManager, Kubernetes, OpenAPI, Terraform)      | string    | No                    | All                  |

diff --git a/docs/integrations_gitlabci.md b/docs/integrations_gitlabci.md
@@ -42,15 +42,15 @@ When your pipeline executes, it will run this job. If KICS finds any issues, it
 
 #### Pipeline Failure
 
-<img src="https://raw.githubusercontent.com/Checkmarx/kics/master/docs/img/kics_gitlab_pipeline_failure.png" width="850">
+<img src="https://raw.githubusercontent.com/Checkmarx/kics/fb3d0d28a14d79040e9368418016788bdd155017/docs/img/kics_gitlab_pipeline_failure.png" width="850">
 
 #### Pipeline Success
 
-<img src="https://raw.githubusercontent.com/Checkmarx/kics/master/docs/img/kics_gitlab_pipeline_success.png" width="850">
+<img src="https://raw.githubusercontent.com/Checkmarx/kics/fb3d0d28a14d79040e9368418016788bdd155017/docs/img/kics_gitlab_pipeline_success.png" width="850">
 
 #### Download Artifact
 
-<img src="https://raw.githubusercontent.com/Checkmarx/kics/master/docs/img/kics_gitlab_pipeline_artifact.png" width="850">
+<img src="https://raw.githubusercontent.com/Checkmarx/kics/f2cd57f929424ee60765622d8b1a3f784707a58f/docs/img/kics_gitlab_pipeline_artifact.png" width="850">
 
 ## Using GitLab SAST Reports
 

diff --git a/docs/integrations_tfcloud.md b/docs/integrations_tfcloud.md
@@ -25,6 +25,8 @@ And Create event hook.
 Note: You can choose which kind of severity you wish for KICS to fail on by passing `failOn` as query parameter in the URL. KICS will fail on any result found with that severity and above.
 
 Available Severities are:
+
+ - critical
  - high
  - medium
  - low

diff --git a/docs/results.md b/docs/results.md
@@ -56,6 +56,7 @@ JSON reports are sorted by severity (from high to info) and should looks like as
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 10,
 		"INFO": 0,
 		"LOW": 0,
@@ -671,14 +672,14 @@ SonarQube reports, follow [SonarQube Import Format](https://docs.sonarqube.org/l
 You can export html report by using `--report-formats "html"`.
 HTML reports are sorted by severity (from high to info), the results will have query information, a list of files which vulnerability was found and a code snippet where the problem was detected as you can see in following example:
 
-<img src="https://raw.githubusercontent.com/Checkmarx/kics/master/docs/img/html_report.png" width="850">
+<img src="https://raw.githubusercontent.com/Checkmarx/kics/fc93fd1fa4ed3572b0732c787be61d4c82fff2e5/docs/img/html_report.png" width="850">
 
 ## PDF
 
 You can export a pdf report by using `--report-formats "pdf"`.
 PDF reports are sorted by severity (from high to info), the results will have query information and a list of files alongside the line where the result was found.
 
-<img src="https://raw.githubusercontent.com/Checkmarx/kics/master/docs/img/pdf-report.png" width="850">
+<img src="https://raw.githubusercontent.com/Checkmarx/kics/514878ea3fbf98042def0b12cca475062321d36d/docs/img/pdf_report.png" width="850">
 
 ## CycloneDX
 
@@ -987,13 +988,14 @@ KICS displays the results in CLI. For detailed information, you can use `-v --lo
 
 ## Results Status Code
 
-| Code | Description                |
-| ---- | -------------------------- |
-| `0`  | No Results were Found      |
-| `50` | Found any `HIGH` Results   |
-| `40` | Found any `MEDIUM` Results |
-| `30` | Found any `LOW` Results    |
-| `20` | Found any `INFO` Results   |
+| Code | Description                 |
+| ---- | ----------------------------|
+| `0`  | No Results were Found       |
+| `60` | Found any `CRITICAL` Results|
+| `50` | Found any `HIGH` Results    |
+| `40` | Found any `MEDIUM` Results  |
+| `30` | Found any `LOW` Results     |
+| `20` | Found any `INFO` Results    |
 
 ## Error Status Code
 

diff --git a/e2e/fixtures/E2E_CLI_032_RESULT.json b/e2e/fixtures/E2E_CLI_032_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 8,
 		"INFO": 3,
 		"LOW": 3,

diff --git a/e2e/fixtures/E2E_CLI_033_RESULT.json b/e2e/fixtures/E2E_CLI_033_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 1,
 		"LOW": 2,

diff --git a/e2e/fixtures/E2E_CLI_036_RESULT.json b/e2e/fixtures/E2E_CLI_036_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 6,
 		"INFO": 3,
 		"LOW": 2,

diff --git a/e2e/fixtures/E2E_CLI_036_RESULT_2.json b/e2e/fixtures/E2E_CLI_036_RESULT_2.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_068_RESULT.json b/e2e/fixtures/E2E_CLI_068_RESULT.json
@@ -11,6 +11,7 @@
   "queries_failed_to_compute_similarity_id": 0,
   "scan_id": "console",
   "severity_counters": {
+    "CRITICAL": 0,
     "HIGH": 1,
     "INFO": 0,
     "LOW": 1,

diff --git a/e2e/fixtures/E2E_CLI_069_RESULT.json b/e2e/fixtures/E2E_CLI_069_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 1,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_071_RESULT.json b/e2e/fixtures/E2E_CLI_071_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 1,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_072_RESULT.json b/e2e/fixtures/E2E_CLI_072_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 1,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_073_RESULT.json b/e2e/fixtures/E2E_CLI_073_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_074_RESULT.json b/e2e/fixtures/E2E_CLI_074_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 73,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_075_RESULT.json b/e2e/fixtures/E2E_CLI_075_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_076_RESULT.json b/e2e/fixtures/E2E_CLI_076_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_077_RESULT.json b/e2e/fixtures/E2E_CLI_077_RESULT.json
@@ -11,6 +11,7 @@
   "queries_failed_to_compute_similarity_id": 0,
   "scan_id": "console",
   "severity_counters": {
+    "CRITICAL": 0,
     "HIGH": 2,
     "INFO": 0,
     "LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_078_RESULT.json b/e2e/fixtures/E2E_CLI_078_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_081_RESULT.json b/e2e/fixtures/E2E_CLI_081_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 1,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_083_RESULT.json b/e2e/fixtures/E2E_CLI_083_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_084_RESULT.json b/e2e/fixtures/E2E_CLI_084_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 0,
 		"INFO": 0,
 		"LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_085_RESULT.json b/e2e/fixtures/E2E_CLI_085_RESULT.json
@@ -11,6 +11,7 @@
   "queries_failed_to_compute_similarity_id": 0,
   "scan_id": "console",
   "severity_counters": {
+    "CRITICAL": 0,
     "HIGH": 0,
     "INFO": 0,
     "LOW": 0,

diff --git a/e2e/fixtures/E2E_CLI_086_RESULT.json b/e2e/fixtures/E2E_CLI_086_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 6,
 		"INFO": 2,
 		"LOW": 3,

diff --git a/e2e/fixtures/E2E_CLI_087_RESULT.json b/e2e/fixtures/E2E_CLI_087_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 6,
 		"INFO": 2,
 		"LOW": 3,

diff --git a/e2e/fixtures/E2E_CLI_088_RESULT.json b/e2e/fixtures/E2E_CLI_088_RESULT.json
@@ -11,6 +11,7 @@
 	"queries_failed_to_compute_similarity_id": 0,
 	"scan_id": "console",
 	"severity_counters": {
+		"CRITICAL": 0,
 		"HIGH": 6,
 		"INFO": 2,
 		"LOW": 3,