kics icon indicating copy to clipboard operation
kics copied to clipboard
verified publisher icon Checkmarx

bug(openapi): scan report is reporting false positives analyzing OpenAPI v3 schema saying "content is undefined"

Open malkomich opened this issue 1 year ago • 1 comments

I am using the good practice of reusing responses in my OpenAPI spec, which format is defined here. So every scheme for my path responses is well defined inside my components/responses section.

When I am executing the scan with the following command:

docker run --rm -v "$(pwd):/workdir" \
  checkmarx/kics:latest \
  scan \
    -p /workdir \
    -o /workdir/sast-reports \
    --report-formats json \
    --output-name sast-iac-report

I am getting the query "Response on operations that should have a body has undefined schema (v3)" incorrectly reported on every responses in my OpenAPI spec.

This is an example of what I am getting in the JSON report from SAST:

{
	"query_name": "Response on operations that should have a body has undefined schema (v3)",
	"query_id": "a92be1d5-d762-484a-86d6-8cd0907ba100",
	"query_url": "https://swagger.io/docs/specification/describing-responses/",
	"severity": "MEDIUM",
	"platform": "OpenAPI",
	"cwe": "665",
	"cloud_provider": "COMMON",
	"category": "Networking and Firewall",
	"experimental": false,
	"description": "If a response is not head or its code is not 204 or 304, it should have a schema defined",
	"description_id": "eaff445e",
	"files": [
		{
			"file_name": "<path_to_my_openapi_spec>/spec.yaml",
			"similarity_id": "e08dcd3c1ce5c29d67f5bf23b68c33cb39476382ecb9dc34e9fab41b95ffb0c7",
			"line": 60,
			"issue_type": "MissingAttribute",
			"search_key": "paths./<my_endpoint>.post.responses.500",
			"search_line": -1,
			"search_value": "",
			"expected_value": "paths./<my_endpoint>.post.responses.500.content should be defined",
			"actual_value": "paths./<my_endpoint>.post.responses.500.content is undefined"
		},
        .....
        ]
}

Expected Behavior

KICS is identifying the $ref reference, so the scan finds the required fields inside the defined response component.

Actual Behavior

KICS is not identifying the $ref reference, so the scan reports issues for not having a well defined schema on response codes which should have a body.

Steps to Reproduce the Problem

  1. Define in your OpenAPI spec a response to be reused:
components
  responses:
    CustomResponse:
      description: Custom response with a well defined schema.
      content:
        application/json:
          schema:
            $ref: "#/components/schemas/ErrorResponse"
  1. Define in your OpenAPI spec a path reusing a response defined in your component responses:
paths
  /path1:
    post:
      responses:
        "401":
          $ref: "#/components/responses/CustomResponse"
  1. Run the scan command
  2. Check the unexpected issue query inside the JSON report.

Specifications

  • Version: v2.1.4
  • Platform: Linux
  • Subsystem: Ubuntu

malkomich avatar Feb 03 '25 17:02 malkomich

We face the same issue.

jenshoffmann1331 avatar Mar 20 '25 10:03 jenshoffmann1331

Hello @malkomich, thank you for your detailed breakdown. This issue should be fixed with the use of the --enable-openapi-refs flag. The engine should automatically resolve the "$ref" statements and fix the False Positives you are experiencing.

For other possible useful flags refer to the KICS Command Line Interface documentation.

Let me know if your issue is resolved, for now i will close this bug and assume the issue is solved. Also you might have noted in my Pull Request that there are no plans to make "$ref" statements work without this flag.

cx-andre-pereira avatar Oct 23 '25 15:10 cx-andre-pereira