Merge pull request #6893 from Checkmarx/critical-severity-flag

feat(engine): add new severity metadata field support
Checkmarx · Mar 14, 2024 · 4120bbc · 4120bbc
2 parents 9e5010d + 8b7cf1d
commit 4120bbc
Show file tree

Hide file tree

Showing 39 changed files with 1,888 additions and 131 deletions.
diff --git a/.github/scripts/server-mock/package-lock.json b/.github/scripts/server-mock/package-lock.json
diff --git a/assets/queries/ansible/aws/alb_listening_on_http/metadata.json b/assets/queries/ansible/aws/alb_listening_on_http/metadata.json
@@ -9,4 +9,4 @@
   "descriptionID": "3a7576e5",
   "cloudProvider": "aws",
   "cwe": ""
-}
+}
diff --git a/docs/commands.md b/docs/commands.md
@@ -40,6 +40,7 @@ Use "kics [command] --help" for more information about a command.
 |-m, --bom                           |include bill of materials (BoM) in results output|
 |      --cloud-provider strings      |  list of cloud providers to scan (alicloud, aws, azure, gcp, nifcloud, tencentcloud)|
 |      --config string               |  path to configuration file|
+|      --new-severities              |  use new severities in query results |
 |      --disable-full-descriptions   |  disable request for full descriptions and use default vulnerability descriptions|
 |      --disable-secrets             |  disable secrets scanning|
 |      --enable-openapi-refs         |  resolve the file reference, on OpenAPI files (default [false])|

diff --git a/docs/dockerhub.md b/docs/dockerhub.md
@@ -84,6 +84,7 @@ Flags:
   -m, --bom                           include bill of materials (BoM) in results output
       --cloud-provider strings        list of cloud providers to scan (alicloud, aws, azure, gcp)
       --config string                 path to configuration file
+      --new-severities                use new severities in query results
       --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions
       --disable-secrets               disable secrets scanning
       --enable-openapi-refs           resolve the file reference, on OpenAPI files (default [false]) 

diff --git a/e2e/fixtures/E2E_CLI_093_RESULT.json b/e2e/fixtures/E2E_CLI_093_RESULT.json
@@ -0,0 +1,66 @@
+{
+  "kics_version": "development",
+  "files_scanned": 2,
+  "lines_scanned": 68,
+  "files_parsed": 2,
+  "lines_parsed": 68,
+  "lines_ignored": 0,
+  "files_failed_to_scan": 0,
+  "queries_total": 1,
+  "queries_failed_to_execute": 0,
+  "queries_failed_to_compute_similarity_id": 0,
+  "scan_id": "console",
+  "severity_counters": {
+    "CRITICAL": 0,
+    "HIGH": 0,
+    "INFO": 2,
+    "LOW": 0,
+    "MEDIUM": 0,
+    "TRACE": 0
+  },
+  "total_counter": 2,
+  "total_bom_resources": 0,
+  "start": "2024-01-31T15:46:25.2714687Z",
+  "end": "2024-01-31T15:46:25.5747871Z",
+  "paths": [
+    "/path/test/fixtures/test_new_severity/test",
+    "/path/test/fixtures/test_new_severity/info"
+  ],
+  "queries": [
+    {
+      "query_name": "Run Block Injection",
+      "query_id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+      "query_url": "https://securitylab.github.com/research/github-actions-untrusted-input/",
+      "severity": "INFO",
+      "platform": "CICD",
+      "category": "Insecure Configurations",
+      "experimental": false,
+      "description": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.",
+      "description_id": "02044a75",
+      "files": [
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "2197922dab336742ff58010e01218006c9b2c930a840018ef8b42fb1284f2a45",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.body",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        },
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "efac914cab5fb466570dd3a71ee3edd8197a15928c56c2aabff00f54d05c5e6d",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.title",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        }
+      ]
+    }
+  ]
+}
diff --git a/e2e/fixtures/E2E_CLI_093_RESULT_2.json b/e2e/fixtures/E2E_CLI_093_RESULT_2.json
@@ -0,0 +1,66 @@
+{
+	"kics_version": "development",
+	"files_scanned": 2,
+	"lines_scanned": 68,
+	"files_parsed": 2,
+	"lines_parsed": 68,
+	"lines_ignored": 0,
+	"files_failed_to_scan": 0,
+	"queries_total": 1,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"CRITICAL": 0,
+		"HIGH": 0,
+		"INFO": 0,
+		"LOW": 2,
+		"MEDIUM": 0,
+		"TRACE": 0
+	},
+	"total_counter": 2,
+	"total_bom_resources": 0,
+	"start": "2024-01-31T15:46:25.2714687Z",
+	"end": "2024-01-31T15:46:25.5747871Z",
+	"paths": [
+    "/path/test/fixtures/test_new_severity/test",
+    "/path/test/fixtures/test_new_severity/low"
+	],
+	"queries": [
+		{
+			"query_name": "Run Block Injection",
+			"query_id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+			"query_url": "https://securitylab.github.com/research/github-actions-untrusted-input/",
+			"severity": "LOW",
+			"platform": "CICD",
+			"category": "Insecure Configurations",
+			"experimental": false,
+			"description": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.",
+			"description_id": "02044a75",
+			"files": [
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "2197922dab336742ff58010e01218006c9b2c930a840018ef8b42fb1284f2a45",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.body",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        },
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "efac914cab5fb466570dd3a71ee3edd8197a15928c56c2aabff00f54d05c5e6d",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.title",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        }
+			]
+		}
+	]
+}
diff --git a/e2e/fixtures/E2E_CLI_093_RESULT_3.json b/e2e/fixtures/E2E_CLI_093_RESULT_3.json
@@ -0,0 +1,66 @@
+{
+	"kics_version": "development",
+	"files_scanned": 2,
+	"lines_scanned": 68,
+	"files_parsed": 2,
+	"lines_parsed": 68,
+	"lines_ignored": 0,
+	"files_failed_to_scan": 0,
+	"queries_total": 1,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"CRITICAL": 0,
+		"HIGH": 0,
+		"INFO": 0,
+		"LOW": 0,
+		"MEDIUM": 2,
+		"TRACE": 0
+	},
+	"total_counter": 2,
+	"total_bom_resources": 0,
+	"start": "2024-01-31T15:46:25.2714687Z",
+	"end": "2024-01-31T15:46:25.5747871Z",
+	"paths": [
+    "/path/test/fixtures/test_new_severity/test",
+    "/path/test/fixtures/test_new_severity/medium"
+	],
+	"queries": [
+		{
+			"query_name": "Run Block Injection",
+			"query_id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+			"query_url": "https://securitylab.github.com/research/github-actions-untrusted-input/",
+			"severity": "MEDIUM",
+			"platform": "CICD",
+			"category": "Insecure Configurations",
+			"experimental": false,
+			"description": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.",
+			"description_id": "02044a75",
+			"files": [
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "2197922dab336742ff58010e01218006c9b2c930a840018ef8b42fb1284f2a45",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.body",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        },
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "efac914cab5fb466570dd3a71ee3edd8197a15928c56c2aabff00f54d05c5e6d",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.title",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        }
+			]
+		}
+	]
+}
diff --git a/e2e/fixtures/E2E_CLI_093_RESULT_4.json b/e2e/fixtures/E2E_CLI_093_RESULT_4.json
@@ -0,0 +1,66 @@
+{
+	"kics_version": "development",
+	"files_scanned": 2,
+	"lines_scanned": 68,
+	"files_parsed": 2,
+	"lines_parsed": 68,
+	"lines_ignored": 0,
+	"files_failed_to_scan": 0,
+	"queries_total": 1,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"CRITICAL": 0,
+		"HIGH": 2,
+		"INFO": 0,
+		"LOW": 0,
+		"MEDIUM": 0,
+		"TRACE": 0
+	},
+	"total_counter": 2,
+	"total_bom_resources": 0,
+	"start": "2024-01-31T15:46:25.2714687Z",
+	"end": "2024-01-31T15:46:25.5747871Z",
+	"paths": [
+    "/path/test/fixtures/test_new_severity/test",
+    "/path/test/fixtures/test_new_severity/high"
+	],
+	"queries": [
+		{
+			"query_name": "Run Block Injection",
+			"query_id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+			"query_url": "https://securitylab.github.com/research/github-actions-untrusted-input/",
+			"severity": "HIGH",
+			"platform": "CICD",
+			"category": "Insecure Configurations",
+			"experimental": false,
+			"description": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.",
+			"description_id": "02044a75",
+			"files": [
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "2197922dab336742ff58010e01218006c9b2c930a840018ef8b42fb1284f2a45",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.body",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        },
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "efac914cab5fb466570dd3a71ee3edd8197a15928c56c2aabff00f54d05c5e6d",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.title",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        }
+			]
+		}
+	]
+}
diff --git a/e2e/fixtures/E2E_CLI_093_RESULT_5.json b/e2e/fixtures/E2E_CLI_093_RESULT_5.json
@@ -0,0 +1,66 @@
+{
+	"kics_version": "development",
+	"files_scanned": 2,
+	"lines_scanned": 68,
+	"files_parsed": 2,
+	"lines_parsed": 68,
+	"lines_ignored": 0,
+	"files_failed_to_scan": 0,
+	"queries_total": 1,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"CRITICAL": 2,
+		"HIGH": 0,
+		"INFO": 0,
+		"LOW": 0,
+		"MEDIUM": 0,
+		"TRACE": 0
+	},
+	"total_counter": 2,
+	"total_bom_resources": 0,
+	"start": "2024-01-31T15:46:25.2714687Z",
+	"end": "2024-01-31T15:46:25.5747871Z",
+	"paths": [
+    "/path/test/fixtures/test_new_severity/test",
+    "/path/test/fixtures/test_new_severity/critical"
+	],
+	"queries": [
+		{
+			"query_name": "Run Block Injection",
+			"query_id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+			"query_url": "https://securitylab.github.com/research/github-actions-untrusted-input/",
+			"severity": "CRITICAL",
+			"platform": "CICD",
+			"category": "Insecure Configurations",
+			"experimental": false,
+			"description": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.",
+			"description_id": "02044a75",
+			"files": [
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "2197922dab336742ff58010e01218006c9b2c930a840018ef8b42fb1284f2a45",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.body",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        },
+        {
+          "file_name": "path\\test\\fixtures\\test_new_severities\\test\\positive1.yaml",
+          "similarity_id": "efac914cab5fb466570dd3a71ee3edd8197a15928c56c2aabff00f54d05c5e6d",
+          "line": 10,
+          "issue_type": "IncorrectValue",
+          "search_key": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n  if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n    :\n  else\n    echo \"This issue does not need to generate a markdown file.\" 1\u003e\u00262\n    exit 1;\n  fi;\nelse\n  echo \"The description of the issue is empty.\" 1\u003e\u00262\n  exit 1;\nfi;\n}}",
+          "search_line": 10,
+          "search_value": "github.event.issue.title",
+          "expected_value": "Run block does not contain dangerous input controlled by user.",
+          "actual_value": "Run block contains dangerous input controlled by user."
+        }
+			]
+		}
+	]
+}
diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help
@@ -45,6 +45,7 @@ Flags:
   -b, --libraries-path string         path to directory with libraries (default "./assets/libraries")
       --max-file-size int             max file size permitted for scanning, in MB (default 5)
       --minimal-ui                    simplified version of CLI output
+      --new-severities                use new severities in query results
       --no-progress                   hides the progress bar
       --output-name string            name used on report creations (default "results")
   -o, --output-path string            directory path to store reports