Merge pull request #6789 from Checkmarx/joaom/kics-1026

feat(engine): resolve references between files as flag
Checkmarx · Nov 21, 2023 · 839dad3 · 839dad3
2 parents 277030e + ee525a7
commit 839dad3
Show file tree

Hide file tree

Showing 53 changed files with 2,065 additions and 81 deletions.
diff --git a/docs/commands.md b/docs/commands.md
@@ -49,6 +49,7 @@ Flags:
       --config string                 path to configuration file
       --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions
       --disable-secrets               disable secrets scanning
+      --enable-openapi-refs           resolve the file reference, on OpenAPI files (default [false])
       --exclude-categories strings    exclude categories by providing its name
                                       cannot be provided with query inclusion flags
                                       can be provided multiple times or as a comma separated string
@@ -102,7 +103,7 @@ Flags:
       --exclude-type strings          case insensitive list of platform types not to scan
                                       (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerLessFW, Terraform)
                                       cannot be provided with type inclusion flags
-
+       
 Global Flags:
       --ci                  display only log messages to CLI output (mutually exclusive with silent)
   -f, --log-format string   determines log format (pretty,json) (default "pretty")

diff --git a/docs/dockerhub.md b/docs/dockerhub.md
@@ -86,6 +86,7 @@ Flags:
       --config string                 path to configuration file
       --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions
       --disable-secrets               disable secrets scanning
+      --enable-openapi-refs           resolve the file reference, on OpenAPI files (default [false]) 
       --exclude-categories strings    exclude categories by providing its name
                                       cannot be provided with query inclusion flags
                                       can be provided multiple times or as a comma separated string
@@ -137,6 +138,7 @@ Flags:
       --exclude-type strings          case insensitive list of platform types not to scan
                                       (Ansible, AzureResourceManager, Buildah, CICD, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, ServerLessFW, Terraform)
                                       cannot be provided with type inclusion flags                                         
+      
 ```
 
 ```txt

diff --git a/e2e/fixtures/E2E_CLI_070_RESULT.json b/e2e/fixtures/E2E_CLI_070_RESULT.json
@@ -22,8 +22,8 @@
 	"start": "2023-10-27T16:46:52.5513995+01:00",
 	"end": "2023-10-27T16:46:52.8805179+01:00",
 	"paths": [
-		"/path/test/fixtures/experimental_test/sample",
-		"/path/test/fixtures/experimental_test/queries"
+    "/path/test/fixtures/experimental_test/sample",
+    "/path/test/fixtures/experimental_test/queries"
 	],
 	"queries": [
 		{

diff --git a/e2e/fixtures/E2E_CLI_071_RESULT.json b/e2e/fixtures/E2E_CLI_071_RESULT.json
@@ -0,0 +1,53 @@
+{
+	"kics_version": "development",
+	"files_scanned": 1,
+	"lines_scanned": 19,
+	"files_parsed": 1,
+	"lines_parsed": 19,
+	"lines_ignored": 0,
+	"files_failed_to_scan": 0,
+	"queries_total": 17,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"HIGH": 0,
+		"INFO": 1,
+		"LOW": 0,
+		"MEDIUM": 0,
+		"TRACE": 0
+	},
+	"total_counter": 1,
+	"total_bom_resources": 0,
+	"start": "2023-11-08T16:02:34.2300252Z",
+	"end": "2023-11-08T16:02:36.2803423Z",
+	"paths": [
+		"/path/test/fixtures/resolve_references"
+	],
+	"queries": [
+		{
+			"query_name": "Components Schema Definition Is Unused",
+			"query_id": "962fa01e-b791-4dcc-b04a-4a3e7389be5e",
+			"query_url": "https://swagger.io/specification/#components-object",
+			"severity": "INFO",
+			"platform": "OpenAPI",
+			"category": "Best Practices",
+			"experimental": false,
+			"description": "Components schemas definitions should be referenced or removed from Open API definition",
+			"description_id": "5cdc0f3b",
+			"files": [
+				{
+					"file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml",
+					"similarity_id": "ff39e561509c13315ce34a0be602a974d63231b70cb5cdf778109e062302f8eb",
+					"line": 17,
+					"issue_type": "IncorrectValue",
+					"search_key": "components.schemas.{{MyResponse}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "Schema should be used as reference somewhere",
+					"actual_value": "Schema is not used as reference"
+				}
+			]
+		}
+	]
+}
diff --git a/e2e/fixtures/E2E_CLI_072_RESULT.json b/e2e/fixtures/E2E_CLI_072_RESULT.json
@@ -0,0 +1,99 @@
+{
+	"kics_version": "development",
+	"files_scanned": 1,
+	"lines_scanned": 50,
+	"files_parsed": 1,
+	"lines_parsed": 55,
+	"lines_ignored": 0,
+	"files_failed_to_scan": 0,
+	"queries_total": 17,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"HIGH": 0,
+		"INFO": 1,
+		"LOW": 0,
+		"MEDIUM": 3,
+		"TRACE": 0
+	},
+	"total_counter": 4,
+	"total_bom_resources": 0,
+	"start": "2023-11-08T16:01:57.5219527Z",
+	"end": "2023-11-08T16:01:59.1971883Z",
+	"paths": [
+		"/path/test/fixtures/resolve_references"
+	],
+	"queries": [
+		{
+			"query_name": "Response Code Missing (v3)",
+			"query_id": "6c35d2c6-09f2-4e5c-a094-e0e91327071d",
+			"query_url": "https://swagger.io/specification/#operation-object",
+			"severity": "MEDIUM",
+			"platform": "OpenAPI",
+			"category": "Networking and Firewall",
+			"experimental": false,
+			"description": "500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.",
+			"description_id": "dbf15009",
+			"files": [
+				{
+					"file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml",
+					"similarity_id": "0e9d0a90c2069babcc7d07b581105ebda5dba82dc83c0ef588103f8805662c8c",
+					"line": 14,
+					"issue_type": "MissingAttribute",
+					"search_key": "paths.{{/users/{userId}}}.$ref=./paths/users/user.yaml",
+					"search_line": 0,
+					"search_value": "400 response",
+					"expected_value": "400 response should be set",
+					"actual_value": "400 response is undefined"
+				},
+				{
+					"file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml",
+					"similarity_id": "21b4b94761ab17c403b6455c8b88f295729ed9e98fd3101b2bb5cf5373fba1e6",
+					"line": 14,
+					"issue_type": "MissingAttribute",
+					"search_key": "paths.{{/users/{userId}}}.$ref=./paths/users/user.yaml",
+					"search_line": 0,
+					"search_value": "429 response",
+					"expected_value": "429 response should be set",
+					"actual_value": "429 response is undefined"
+				},
+				{
+					"file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml",
+					"similarity_id": "22e82edb39085e8787d853eed386b45f1774e7bbf7e1f08ed9662c33cd69d883",
+					"line": 14,
+					"issue_type": "MissingAttribute",
+					"search_key": "paths.{{/users/{userId}}}.$ref=./paths/users/user.yaml",
+					"search_line": 0,
+					"search_value": "500 response",
+					"expected_value": "500 response should be set",
+					"actual_value": "500 response is undefined"
+				}
+			]
+		},
+		{
+			"query_name": "Components Schema Definition Is Unused",
+			"query_id": "962fa01e-b791-4dcc-b04a-4a3e7389be5e",
+			"query_url": "https://swagger.io/specification/#components-object",
+			"severity": "INFO",
+			"platform": "OpenAPI",
+			"category": "Best Practices",
+			"experimental": false,
+			"description": "Components schemas definitions should be referenced or removed from Open API definition",
+			"description_id": "5cdc0f3b",
+			"files": [
+				{
+					"file_name": "path\\test\\fixtures\\resolve_references\\swagger.yaml",
+					"similarity_id": "ff39e561509c13315ce34a0be602a974d63231b70cb5cdf778109e062302f8eb",
+					"line": 17,
+					"issue_type": "IncorrectValue",
+					"search_key": "components.schemas.{{MyResponse}}",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Schema should be used as reference somewhere",
+					"actual_value": "Schema is not used as reference"
+				}
+			]
+		}
+	]
+}
diff --git a/e2e/fixtures/E2E_CLI_073_RESULT.json b/e2e/fixtures/E2E_CLI_073_RESULT.json
@@ -0,0 +1,28 @@
+{
+	"kics_version": "development",
+	"files_scanned": 1,
+	"lines_scanned": 565,
+	"files_parsed": 1,
+	"lines_parsed": 565,
+	"lines_ignored": 0,
+	"files_failed_to_scan": 0,
+	"queries_total": 1,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"HIGH": 0,
+		"INFO": 0,
+		"LOW": 0,
+		"MEDIUM": 0,
+		"TRACE": 0
+	},
+	"total_counter": 0,
+	"total_bom_resources": 0,
+	"start": "2023-11-09T14:36:44.3290943Z",
+	"end": "2023-11-09T14:36:45.6631156Z",
+	"paths": [
+		"/path/test/fixtures/resolve_references_json"
+	],
+	"queries": []
+}