Checkmarx
Ansible include causes kics to ignore it's ignore patterns
Description
I have include statements in my ansible-playbooks. In one of my tasks of the top-playbook, there is a create_password parameter which triggers the generic password rule. I wanted to ignore this error, since it's a false positiv. But KICS ignores the ignore-lines.
Top-Playbook:
---
# test for kics ignore
# kics-scan ignore
- name: Playbook to Create users and Projects in Openstack
hosts: localhost
collections:
- openstack.cloud
environment:
OS_PASSWORD: "{{ openstack_environment.pass }}"
OS_AUTH_URL: "{{ openstack_environment.auth_url }}"
OS_USERNAME: "{{ openstack_environment.username }}"
OS_PROJECT_ID: "{{ openstack_environment.project_id }}"
OS_PROJECT_NAME: "{{ openstack_environment.project_name }}"
OS_USER_DOMAIN_NAME: "{{ openstack_environment.user_domain_name }}"
OS_PROJECT_DOMAIN_ID: "{{ openstack_environment.project_domain_id }}"
OS_REGION_NAME: "{{ openstack_environment.region_name }}"
OS_INTERFACE: "{{ openstack_environment.interface }}"
OS_IDENTITY_API_VERSION: "{{ openstack_environment.identity_api_version }}"
tasks:
- name: 'Ensure Projects are as defined'
include: subroutines/debug.yml
# kics-scan ignore-block
- name: 'Create Users in Openstack'
openstack.cloud.identity_user:
state: present
name: "{{ add_user.name }}"
password: "{{ all_openstack_default_pass }}"
email: "{{ add_user.email }}"
# kics-scan ignore-line
update_password: on_create
default_project: "{{ add_user.orgunit }}"
domain: default
loop: "{{ users_present }}"
subroutines/debug.yml
#---
#- name: 'this is a task'
# debug:
# msg: 'this is an output'
yes this is all commented. It doesn't make a difference what content this file has. It's enough that this file exists.
The result is
Scanning with Keeping Infrastructure as Code Secure v1.5.13
Files scanned: 25
Parsed files: 24
Queries loaded: 281
Queries failed to execute: 0
------------------------------------
Passwords And Secrets - Generic Password, Severity: HIGH, Results: 2
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
[1]: ../../path/openstack-users-and-projects.yml:42
041: email: "{{ add_user.email }}"
042: update_password: on_create
043: default_project: "{{ add_user.orgunit }}"
[2]: ../../path/test-kics.yml:32
031: # kics-scan ignore-line
032: update_password: on_create
033: default_project: "{{ add_user.orgunit }}"
| Testcase | Result |
|---|---|
| include statement points to existing valid file | ignore is not effective |
| include statement points to existing empty file | ignore is not effective |
| include statement points to nonexisting file | ignore is effective |
| include statement is missing | ingore is effective |
This seems to be true for every ignore-scope (file, block, line).
Expected Behavior
I expect kics to ignore the error and respect the comment
Actual Behavior
Kics ignores the ignore statement (Formatted logs and samples helps us to better understand the issue)
Steps to Reproduce the Problem
(Command line arguments and flags used)
- `mkdir -p subroutines && touch subroutines/debug.yml
- copy my root-playbook
- run kics on the folder including the examples provided
podman run -it -v $PWD:/path checkmarx/kics:latest scan -p "/path" --log-level=DEBUG - kics errors
- remove include task OR
rm subroutines/debug.yml - run kics
- kics successfully ignores the update_password
Specifications
(N/A if not applicable)
- Version: v1.5.13
- Platform: ubuntu linux / podman
- Subsystem: N/A
Hello, @sluetze!
Thank you so much for using KICS and reaching us!
The Top-Playbook does not return any result on my side. Can you provide us the test-kics.yaml, please?
i reduced it to the minimum to reproduce the error and kept the failing task completely
@sluetze, the test-kicks.txt returns no results on my side (I replaced to .yaml). Does it return on yours?
Yes. It does. Is the include file existing on your side?
Rafaela Soares @.***> schrieb am Fr., 12. Aug. 2022, 17:48:
@sluetze https://github.com/sluetze, the test-kicks.txt returns no results on my side. Does it return on yours?
— Reply to this email directly, view it on GitHub https://github.com/Checkmarx/kics/issues/5685#issuecomment-1213257464, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADFEFCZCPRJ4LV65ZGNQJHDVYZW3HANCNFSM56A7EOQA . You are receiving this because you were mentioned.Message ID: @.***>
@sluetze, I could not reproduce it:
Sorry, probably I am missing something.
I'll try to reproduce using direct execution via go. But the differences in your test and my test are: I use podman with v1.5.3 and Linux. Since the issue is dependen on if the file exists or not it may be OS specific.
I'll update the issue after trying to reproduce with go directly.
$ cat 5685/test-kicks.yaml
---
# this playbook creates users and projects in openstack,
# it's used for a "local authentication" mode, not for SSO
- name: Playbook to Create users and Projects in Openstack
hosts: localhost
collections:
- openstack.cloud
tasks:
- name: 'Ensure Projects are as defined'
include: subroutines/openstack_per_project_actions.yml
- name: 'Create Users in Openstack'
openstack.cloud.identity_user:
state: present
name: "{{ add_user.name }}"
password: "{{ all_openstack_default_pass }}"
email: "{{ add_user.email }}"
# kics-scan ignore-line
update_password: on_create
default_project: "{{ add_user.orgunit }}"
domain: default
loop: "{{ users_present }}"
loop_control:
loop_var: add_user
~/github/kics$ tree 5685
5685
├── subroutines
│ └── openstack_per_project_actions.yml
└── test-kicks.yaml
1 directory, 2 files
~/github/kics$ cat 5685/subroutines/openstack_per_project_actions.yml
~/github/kics$ go run --tags dev ./cmd/console/main.go scan -p ./5685/
.0MO.
OMMMx
;NMX;
... ... ....
WMMMd cWMMM0. KMMMO ;xKWMMMMNOc. ,xXMMMMMWXkc.
WMMMd .0MMMN: KMMMO :XMMMMMMMMMMMWl xMMMMMWMMMMMMl
WMMMd lWMMMO. KMMMO xMMMMKc...'lXMk ,MMMMx .;dXx
WMMMd.0MMMX; KMMMO cMMMMd ' 'MMMMNl'
WMMMNWMMMMl KMMMO 0MMMN oMMMMMMMXkl.
WMMMMMMMMMMo KMMMO 0MMMX .ckKWMMMMMM0.
WMMMMWokMMMMk KMMMO oMMMMc . .:OMMMM0
WMMMK. dMMMM0. KMMMO KMMMMx' ,kNc :WOc. .NMMMX
WMMMd cWMMMX. KMMMO kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd ,NMMMN, KMMMO 'xNMMMMMMMNx, .l0WMMMMMMMWk,
xkkk: ,kkkkx okkkl ;xKXKx; ;dOKKkc
Scanning with Keeping Infrastructure as Code Secure development
Preparing Scan Assets: Done
Executing queries: [---------------------------------------------------] 100.00%
Files scanned: 2
Parsed files: 1
Queries loaded: 281
Queries failed to execute: 0
------------------------------------
Passwords And Secrets - Generic Password, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
[1]: 5685/test-kicks.yaml:20
019: # kics-scan ignore-line
020: update_password: on_create
021: default_project: "{{ add_user.orgunit }}"
Results Summary:
HIGH: 1
MEDIUM: 0
LOW: 0
INFO: 0
TOTAL: 1
Scan duration: 6.604341948s
exit status 50
PS H:\Eigene Dateien\Downloads\kics-master\kics> go run --tags dev ./cmd/console/main.go scan -p ./5685/
.0MO.
OMMMx
;NMX;
... ... ....
WMMMd cWMMM0. KMMMO ;xKWMMMMNOc. ,xXMMMMMWXkc.
WMMMd .0MMMN: KMMMO :XMMMMMMMMMMMWl xMMMMMWMMMMMMl
WMMMd lWMMMO. KMMMO xMMMMKc...'lXMk ,MMMMx .;dXx
WMMMd.0MMMX; KMMMO cMMMMd ' 'MMMMNl'
WMMMNWMMMMl KMMMO 0MMMN oMMMMMMMXkl.
WMMMMMMMMMMo KMMMO 0MMMX .ckKWMMMMMM0.
WMMMMWokMMMMk KMMMO oMMMMc . .:OMMMM0
WMMMK. dMMMM0. KMMMO KMMMMx' ,kNc :WOc. .NMMMX
WMMMd cWMMMX. KMMMO kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd ,NMMMN, KMMMO 'xNMMMMMMMNx, .l0WMMMMMMMWk,
xkkk: ,kkkkx okkkl ;xKXKx; ;dOKKkc
Scanning with Keeping Infrastructure as Code Secure development
Preparing Scan Assets: Done
Executing queries: [---------------------------------------------------] 100.00%
Files scanned: 2
Parsed files: 1
Queries loaded: 281
Queries failed to execute: 0
------------------------------------
Passwords And Secrets - Generic Password, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
[1]: 5685\test-kics.yaml:20
019: # kics-scan ignore-line
020: update_password: on_create
021: default_project: "{{ add_user.orgunit }}"
Results Summary:
HIGH: 1
MEDIUM: 0
LOW: 0
INFO: 0
TOTAL: 1
Scan duration: 5.6132228s
exit status 50
Reproduced with the same files as above on Windows.
Is the file which is referenced in the include existing?
Hi, @sluetze!
Unfortunately, I continue to not be able to reproduce the issue. So sorry.
What do you mean by "Is the file which is referenced in the include existing?" ?
@sluetze If so, please approve we can use them under Apache 2.0 license