Merge branch 'master' into feat/update_nifcloud_bug_queries

Checkmarx · Feb 4, 2025 · 1a829b1 · 1a829b1
2 parents 20a38a8 + 2e3a47b
commit 1a829b1
Show file tree

Hide file tree

Showing 13 changed files with 273 additions and 21 deletions.
diff --git a/.github/scripts/report/go.mod b/.github/scripts/report/go.mod
@@ -1,6 +1,6 @@
 module github.com/Checkmarx/e2e-report
 
-go 1.23.1
+go 1.23.5
 
 require (
 	github.com/rs/zerolog v1.31.0

diff --git a/.github/scripts/server-mock/package-lock.json b/.github/scripts/server-mock/package-lock.json
diff --git a/.github/workflows/kics-gh-action.yaml b/.github/workflows/kics-gh-action.yaml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Run KICS Scan
-        uses: checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3
+        uses: checkmarx/kics-github-action@5a6152ef88416063435cebadfec9de28bcfd041d # v2.1.4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           path: "./Dockerfile"
@@ -20,6 +20,7 @@ jobs:
           output_path: ./results
           output_formats: json,html
           type: dockerfile
+          exclude_queries: 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae # Ignore Last User Is 'root'
       - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: results

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.23.4-r0@sha256:07aa6232e1255b14e2cbde76323059af733b5017890d64670b57d51b33744220 AS build_env
+FROM checkmarx/go:1.23.5-r1@sha256:c7ad1d8f075e123f4b477bbe364b9c793b2d2c6cdbd299f4900e7e473913a1fa AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,7 +29,7 @@ RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git:2.47.0-r0@sha256:2f3ce1eb50ac04e3a9930a5f71526e3e3e22cd09964a9a2aab9d4c3787f25b21
+FROM checkmarx/git:2.47.0-r0@sha256:b80cefbc536108e0e8e4305f01fd76445533133f3e2d1fedc4cb64754e915a14
 
 ENV TERM xterm-256color
 
@@ -43,7 +43,7 @@ COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/
 
 WORKDIR /app/bin
 
-USER 65532
+USER root
 
 # Healthcheck the container
 ENV PATH $PATH:/app/bin

diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/query.rego b/assets/queries/openAPI/general/array_without_maximum_number_items/query.rego
@@ -17,8 +17,8 @@ CxPolicy[result] {
 		"documentId": doc.id,
 		"searchKey": sprintf("%s.type", [openapi_lib.concat_path(path)]),
 		"issueType": "MissingAttribute",
-		"keyActualValue": "Array schema has 'maxItems' set",
-		"keyExpectedValue": "Array schema has 'maxItems' undefined",
+		"keyExpectedValue": "Array schema has 'maxItems' set",
+		"keyActualValue": "Array schema has 'maxItems' undefined",
 		"searchLine": common_lib.build_search_line(path, []) ,
 		"overrideKey": version,
 	}
@@ -37,8 +37,8 @@ CxPolicy[result] {
 		"documentId": doc.id,
 		"searchKey": sprintf("%s.type", [openapi_lib.concat_path(path)]),
 		"issueType": "MissingAttribute",
-		"keyActualValue": "Array schema has 'maxItems' set",
-		"keyExpectedValue": "Array schema has 'maxItems' undefined",
+		"keyExpectedValue": "Array schema has 'maxItems' set",
+		"keyActualValue": "Array schema has 'maxItems' undefined",
 		"searchLine": common_lib.build_search_line(path, []) ,
 		"overrideKey": version,
 	}

diff --git a/assets/queries/openAPI/general/maximum_length_undefined/query.rego b/assets/queries/openAPI/general/maximum_length_undefined/query.rego
@@ -12,6 +12,7 @@ CxPolicy[result] {
 	info := openapi_lib.is_operation(path)
 	openapi_lib.content_allowed(info.operation, info.code)
 	openapi_lib.undefined_field_in_string_type(value, "maxLength")
+    checkForSecureStringFormats(value)
 	not limited_regex(value)
 
 	result := {
@@ -33,6 +34,7 @@ CxPolicy[result] {
 	[path, value] := walk(doc)
 	openapi_lib.is_operation(path) == {}
 	openapi_lib.undefined_field_in_string_type(value, "maxLength")
+	checkForSecureStringFormats(value)
 	not limited_regex(value)
 
 	result := {
@@ -51,3 +53,15 @@ limited_regex(value){
 	not contains(value.pattern, "*")
 	not regex.match("[^\\\\]{\\d+,}", value.pattern)
 }
+
+checkForSecureStringFormats(value) {
+	openapi_lib.undefined_field_in_string_type(value, "enum")   # enums have the maxLength implicit
+	checkStringFormat(value)
+}
+
+checkStringFormat(value) {
+    openapi_lib.undefined_field_in_string_type(value, "format")
+} else {
+    value["format"] != "date"       # date and date-time formats
+    value["format"] != "date-time"  # have the maxLength implicit
+}
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative10.yaml b/assets/queries/openAPI/general/maximum_length_undefined/test/negative10.yaml
@@ -0,0 +1,55 @@
+openapi: 3.0.0
+info:
+  title: Simple API Overview
+  version: 1.0.0
+paths:
+  "/":
+    get:
+      operationId: listVersionsv2
+      summary: List API versions
+      responses:
+        "200":
+          description: 200 response
+          content:
+            application/json:
+              examples:
+                foo:
+                  value:
+                    versions:
+                      - status: CURRENT
+                        updated: "2011-01-21T11:33:21Z"
+                        id: v2.0
+                        links:
+                          - href: http://127.0.0.1:8774/v2/
+                            rel: self
+components:
+  schemas:
+    GeneralError:
+      type: object
+      discriminator:
+        propertyName: petType
+      additionalProperties: false
+      properties:
+        code:
+          type: string
+          enum:
+            - brown
+            - grey
+            - black
+            - white
+        message:
+          type: string
+          format: date
+        extra:
+          type: string
+          format: date-time
+      required:
+        - petType
+  requestBodies:
+    NewItem:
+      description: A JSON object containing item data
+      required: true
+      content:
+        multipart/form-data:
+          schema:
+            $ref: "#/components/schemas/GeneralError"
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative11.json b/assets/queries/openAPI/general/maximum_length_undefined/test/negative11.json
@@ -0,0 +1,50 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0",
+    "contact": {
+      "name": "contact",
+      "url": "https://www.google.com/",
+      "email": "user@gmail.com"
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "responses": {
+          "200": {
+            "description": "200 response",
+            "schema": {
+              "discriminator": "petType",
+              "additionalProperties": false,
+              "properties": {
+                "code": {
+                  "type": "string",
+                  "enum": [
+                    "brown",
+                    "grey",
+                    "black",
+                    "white"
+                  ]
+                },
+                "message": {
+                  "type": "string",
+                  "format": "date"
+                },
+                "extra": {
+                  "type": "string",
+                  "format": "date-time"
+                }
+              },
+              "required": [
+                "petType"
+              ],
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative12.yaml b/assets/queries/openAPI/general/maximum_length_undefined/test/negative12.yaml
@@ -0,0 +1,32 @@
+swagger: "2.0"
+info:
+  title: Simple API Overview
+  version: 1.0.0
+paths:
+  "/":
+    get:
+      operationId: listVersionsv2
+      summary: List API versions
+      responses:
+        "200":
+          description: 200 response
+          schema:
+            type: object
+            discriminator: petType
+            additionalProperties: false
+            properties:
+              code:
+                type: string
+                enum:
+                  - brown
+                  - grey
+                  - black
+                  - white
+              message:
+                type: string
+                format: date
+              extra:
+                type: string
+                format: date-time
+            required:
+              - petType
diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative9.json b/assets/queries/openAPI/general/maximum_length_undefined/test/negative9.json
@@ -0,0 +1,94 @@
+{
+  "openapi": "3.0.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0",
+    "contact": {
+      "name": "contact",
+      "url": "https://www.google.com/",
+      "email": "user@gmail.com"
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "operationId": "listVersionsv2",
+        "summary": "List API versions",
+        "responses": {
+          "200": {
+            "description": "200 response",
+            "content": {
+              "application/json": {
+                "examples": {
+                  "foo": {
+                    "value": {
+                      "versions": [
+                        {
+                          "status": "CURRENT",
+                          "updated": "2011-01-21T11:33:21Z",
+                          "id": "v2.0",
+                          "links": [
+                            {
+                              "href": "http://127.0.0.1:8774/v2/",
+                              "rel": "self"
+                            }
+                          ]
+                        }
+                      ]
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "components": {
+    "schemas": {
+      "GeneralError": {
+        "type": "object",
+        "discriminator": {
+          "propertyName": "petType"
+        },
+        "additionalProperties": false,
+        "properties": {
+          "code": {
+            "type": "string",
+            "enum": [
+              "brown",
+              "grey",
+              "black",
+              "white"
+            ]
+          },
+          "message": {
+            "type": "string",
+            "format": "date"
+          },
+          "extra": {
+            "type": "string",
+            "format": "date-time"
+          }
+        },
+        "required": [
+          "petType"
+        ]
+      }
+    },
+    "requestBodies": {
+      "NewItem": {
+        "description": "A JSON object containing item data",
+        "required": true,
+        "content": {
+          "multipart/form-data": {
+            "schema": {
+              "$ref": "#/components/schemas/GeneralError"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian
@@ -3,7 +3,7 @@
 # it does not define an ENTRYPOINT as this is a requirement described here:
 # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers
 #
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.1-bookworm as build_env
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.5-bookworm as build_env
 # Create a group and user
 RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx
 USER checkmarx