bug(openapi): scan report is reporting false positives analyzing OpenAPI v3 schema saying "content is undefined"
I am using the good practice of reusing responses in my OpenAPI spec, which format is defined here.
So every scheme for my path responses is well defined inside my components/responses section.
When I am executing the scan with the following command:
docker run --rm -v "$(pwd):/workdir" \
checkmarx/kics:latest \
scan \
-p /workdir \
-o /workdir/sast-reports \
--report-formats json \
--output-name sast-iac-report
I am getting the query "Response on operations that should have a body has undefined schema (v3)" incorrectly reported on every responses in my OpenAPI spec.
This is an example of what I am getting in the JSON report from SAST:
{
"query_name": "Response on operations that should have a body has undefined schema (v3)",
"query_id": "a92be1d5-d762-484a-86d6-8cd0907ba100",
"query_url": "https://swagger.io/docs/specification/describing-responses/",
"severity": "MEDIUM",
"platform": "OpenAPI",
"cwe": "665",
"cloud_provider": "COMMON",
"category": "Networking and Firewall",
"experimental": false,
"description": "If a response is not head or its code is not 204 or 304, it should have a schema defined",
"description_id": "eaff445e",
"files": [
{
"file_name": "<path_to_my_openapi_spec>/spec.yaml",
"similarity_id": "e08dcd3c1ce5c29d67f5bf23b68c33cb39476382ecb9dc34e9fab41b95ffb0c7",
"line": 60,
"issue_type": "MissingAttribute",
"search_key": "paths./<my_endpoint>.post.responses.500",
"search_line": -1,
"search_value": "",
"expected_value": "paths./<my_endpoint>.post.responses.500.content should be defined",
"actual_value": "paths./<my_endpoint>.post.responses.500.content is undefined"
},
.....
]
}
Expected Behavior
KICS is identifying the $ref reference, so the scan finds the required fields inside the defined response component.
Actual Behavior
KICS is not identifying the $ref reference, so the scan reports issues for not having a well defined schema on response codes which should have a body.
Steps to Reproduce the Problem
- Define in your OpenAPI spec a response to be reused:
components
responses:
CustomResponse:
description: Custom response with a well defined schema.
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
- Define in your OpenAPI spec a path reusing a response defined in your component responses:
paths
/path1:
post:
responses:
"401":
$ref: "#/components/responses/CustomResponse"
- Run the
scancommand - Check the unexpected issue query inside the JSON report.
Specifications
- Version: v2.1.4
- Platform: Linux
- Subsystem: Ubuntu
We face the same issue.
Hello @malkomich, thank you for your detailed breakdown. This issue should be fixed with the use of the --enable-openapi-refs flag. The engine should automatically resolve the "$ref" statements and fix the False Positives you are experiencing.
For other possible useful flags refer to the KICS Command Line Interface documentation.
Let me know if your issue is resolved, for now i will close this bug and assume the issue is solved. Also you might have noted in my Pull Request that there are no plans to make "$ref" statements work without this flag.