checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

fix: [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic

Open aconrad opened this issue 1 year ago • 1 comments

Description

Currently:

  • ✅ Pass: type: http with scheme: basic fails
  • ❌ Fail: type: http with scheme: bearer (or anything else) passes

After this change:

  • ✅ Pass: type: http with scheme: basic fails
  • ✅ Pass: type: http with scheme: bearer (or anything else) passes

Fixes #6172

Description

Let's restate the purpose of CKV_OPENAPI_3:

Ensure that security schemes don’t allow cleartext credentials over unencrypted channel - version 3.x.y files

Currently, type: http and scheme: basic fail this check, which is good. Failing http+basic ensures that cleartext credentials aren't transmitted at all, but it doesn't check whether the channel is unencrypted (http vs. https), which the check doesn't seem to accomplish at all (separate issue). But type: http and scheme: bearer uses opaque tokens that aren't considered cleartext, and thus should pass this check but currently fails.

To be clear type: https isn't a valid type, those are the possible type values:

[...] where each scheme can be of type:

Source: https://swagger.io/docs/specification/authentication/

Fix

This is a false-positive and thus existing code should work fine and pass. If people disabled CKV_OPENAPI_3 to bypass this check then they could re-enable it after this PR is merged.

Checklist:

  • [x] My code follows the style guidelines of this project
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [x] I have added tests that prove my feature, policy, or fix is effective and works
  • [ ] New and existing tests pass locally with my changes
  • [x] Any dependent changes have been merged and published in downstream modules

Note: all tests are passing except 9 of them that complain about the aiodns library. Not sure how to solve that:

================================================================================= short test summary info =================================================================================
FAILED tests/common/utils/test_http_utils.py::test_aiohttp_client_session_wrapper_with_one_handled_exception - RuntimeError: Resolver requires aiodns library
FAILED tests/common/utils/test_http_utils.py::test_aiohttp_client_session_wrapper_with_several_handled_exceptions - RuntimeError: Resolver requires aiodns library
FAILED tests/common/utils/test_http_utils.py::test_raiohttp_client_session_wrapper_with_one_not_handled_exception - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_docker_image_scanning.py::test_report_results - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_docker_image_scanning.py::test_report_results_with_cicd - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_docker_image_scanning.py::test_report_results_fail - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_package_scanning.py::test_report_results - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_package_scanning.py::test_report_results_with_cicd - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_package_scanning.py::test_report_results_fail - RuntimeError: Resolver requires aiodns library
=========================================================== 9 failed, 4462 passed, 27 skipped, 5 warnings in 137.22s (0:02:17) ============================================================

aconrad avatar Jun 05 '24 22:06 aconrad

Tagging @Eliran-Turgeman and @Saarett who were involved in authoring/reviewing the original code in https://github.com/bridgecrewio/checkov/pull/2789.

aconrad avatar Jun 06 '24 03:06 aconrad

@aconrad Thanks for the contribution! I've merged the latest changes from the main branch and I'm running the tests.

Saarett avatar Jul 02 '24 21:07 Saarett

@Saarett Thanks! A check was failing because of an incorrect title, which I updated (hopefully it's good now)

aconrad avatar Jul 03 '24 03:07 aconrad