Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(openapi): add security definition type validation into CKV_OPENAPI_9 #5262

Merged
merged 3 commits into from
Jun 27, 2023
Merged

fix(openapi): add security definition type validation into CKV_OPENAPI_9 #5262

merged 3 commits into from
Jun 27, 2023

Conversation

afaiq
Copy link
Contributor

@afaiq afaiq commented Jun 26, 2023

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

  • added security definition type validation to skip checking if type is not oauth2

Fixes #5255

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@afaiq afaiq temporarily deployed to scan-security June 26, 2023 23:25 — with GitHub Actions Inactive
gruebel
gruebel approved these changes Jun 27, 2023
View reviewed changes
Copy link
Contributor

@gruebel gruebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice work, thanks for the contribution 🏆

bo156
bo156 approved these changes Jun 27, 2023
View reviewed changes
checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py
@@ -50,6 +50,9 @@ def scan_openapi_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[Che
return CheckResult.FAILED, conf
if not isinstance(auth_definition, dict):
return CheckResult.UNKNOWN, conf
definition_type = auth_definition.get('type', {})
if definition_type != "oauth2":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a failing state for the UTs as well

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it already exists openapi/checks/resource/v2/example_OperationObjectSecurityScopeUndefined/fail1.json this fix handles false positives.

@gruebel gruebel merged commit c5091d0 into bridgecrewio:main Jun 27, 2023
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gruebel gruebel gruebel approved these changes

@bo156 bo156 bo156 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CKV_OPENAPI_9 should only check for OAuth2 security scheme in version 2.0
3 participants
@afaiq @gruebel @bo156