Updated docs image

Signed-off-by: Felipe Avelar <[email protected]>
Checkmarx · May 27, 2021 · de5d414 · de5d414
1 parent fb097a1
commit de5d414
Show file tree

Hide file tree

Showing 5 changed files with 337 additions and 0 deletions.
diff --git a/docs/img/html_report.png b/docs/img/html_report.png
diff --git a/payload_rego/payload.json b/payload_rego/payload.json
@@ -0,0 +1,176 @@
+{
+	"document": [
+		{
+			"paths": {
+				"/user/{id}": {
+					"get": {
+						"parameters": [
+							{
+								"description": "The user ID",
+								"in": "path",
+								"name": "id",
+								"required": true,
+								"schema": {
+									"minimum": 1,
+									"type": "integer"
+								}
+							}
+						]
+					}
+				},
+				"/users/{id}": {
+					"get": {
+						"parameters": [
+							{
+								"description": "The user ID",
+								"in": "path",
+								"name": "id",
+								"required": true,
+								"schema": {
+									"minimum": 1,
+									"type": "integer"
+								}
+							}
+						]
+					}
+				}
+			},
+			"id": "806bb28d-2f3f-4175-8ce1-5bf4c341f7cc",
+			"file": "/home/felipea/projects/kics/assets/queries/openAPI/path_ambiguous/test/negative2.json",
+			"openapi": "3.0.0",
+			"info": {
+				"title": "Simple API overview",
+				"version": "1.0.0"
+			}
+		},
+		{
+			"openapi": "3.0.0",
+			"info": {
+				"title": "Simple API overview",
+				"version": "1.0.0"
+			},
+			"paths": {
+				"/users/{id}": {
+					"get": {
+						"parameters": [
+							{
+								"in": "path",
+								"name": "id",
+								"required": true,
+								"description": "The user ID",
+								"schema": {
+									"type": "integer",
+									"minimum": 1
+								}
+							}
+						]
+					}
+				},
+				"/user/{id}": {
+					"get": {
+						"parameters": [
+							{
+								"in": "path",
+								"name": "id",
+								"required": true,
+								"description": "The user ID",
+								"schema": {
+									"type": "integer",
+									"minimum": 1
+								}
+							}
+						]
+					}
+				}
+			},
+			"id": "f66c8bd6-3994-4a71-aeca-07c8855a4379",
+			"file": "/home/felipea/projects/kics/assets/queries/openAPI/path_ambiguous/test/negative1.yaml"
+		},
+		{
+			"openapi": "3.0.0",
+			"info": {
+				"title": "Simple API overview",
+				"version": "1.0.0"
+			},
+			"paths": {
+				"/users/{ids}": {
+					"get": {
+						"parameters": [
+							{
+								"description": "The user ID",
+								"in": "path",
+								"name": "id",
+								"required": true,
+								"schema": {
+									"minimum": 1,
+									"type": "integer"
+								}
+							}
+						]
+					}
+				},
+				"/users/{id}": {
+					"get": {
+						"parameters": [
+							{
+								"description": "The user ID",
+								"in": "path",
+								"name": "id",
+								"required": true,
+								"schema": {
+									"minimum": 1,
+									"type": "integer"
+								}
+							}
+						]
+					}
+				}
+			},
+			"id": "4594b9d3-9b4d-481d-88ba-aaee53324bfa",
+			"file": "/home/felipea/projects/kics/assets/queries/openAPI/path_ambiguous/test/positive2.json"
+		},
+		{
+			"openapi": "3.0.0",
+			"info": {
+				"title": "Simple API overview",
+				"version": "1.0.0"
+			},
+			"paths": {
+				"/users/{id}": {
+					"get": {
+						"parameters": [
+							{
+								"description": "The user ID",
+								"schema": {
+									"type": "integer",
+									"minimum": 1
+								},
+								"in": "path",
+								"name": "id",
+								"required": true
+							}
+						]
+					}
+				},
+				"/users/{ids}": {
+					"get": {
+						"parameters": [
+							{
+								"in": "path",
+								"name": "id",
+								"required": true,
+								"description": "The user ID",
+								"schema": {
+									"minimum": 1,
+									"type": "integer"
+								}
+							}
+						]
+					}
+				}
+			},
+			"id": "98bbf05c-1ea6-4a3c-818c-51fed500e9d9",
+			"file": "/home/felipea/projects/kics/assets/queries/openAPI/path_ambiguous/test/positive1.yaml"
+		}
+	]
+}
diff --git a/reports/gl-sast-kics-result.json b/reports/gl-sast-kics-result.json
@@ -0,0 +1,81 @@
+{
+	"schema": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v13.1.0/dist/sast-report-format.json",
+	"version": "13.1.0",
+	"scan": {
+		"start_time": "2021-05-27T17:18:56",
+		"end_time": "2021-05-27T17:18:56",
+		"status": "success",
+		"type": "sast",
+		"scanner": {
+			"id": "keeping-infrastructure-as-code-secure",
+			"name": "Keeping Infrastructure as Code Secure",
+			"url": "https://www.kics.io/",
+			"version": "development",
+			"vendor": {
+				"name": "Checkmarx"
+			}
+		}
+	},
+	"vulnerabilities": [
+		{
+			"id": "c74f9332065de6dcd4d26f96fc4cce3891bac35a96e924d0a61c49a908a12e17",
+			"category": "Insecure Configurations",
+			"severity": "high",
+			"cve": "c74f9332065de6dcd4d26f96fc4cce3891bac35a96e924d0a61c49a908a12e17",
+			"scanner": {
+				"id": "keeping_infrastructure_as_code_secure",
+				"name": "Keeping Infrastructure as Code Secure"
+			},
+			"name": "Cluster Allows Unsafe Sysctls",
+			"message": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an unsafe sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.",
+			"links": [
+				{
+					"url": "https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/"
+				}
+			],
+			"location": {
+				"file": "assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive.yaml",
+				"start_line": 23,
+				"end_line": 23
+			},
+			"identifiers": [
+				{
+					"type": "kics",
+					"name": "Keeping Infrastructure as Code Secure",
+					"url": "https://docs.kics.io/latest/queries/kubernetes-queries",
+					"value": "9127f0d9-2310-42e7-866f-5fd9d20dcbad"
+				}
+			]
+		},
+		{
+			"id": "e39585b20c16c0572248582507377add8cfe002b6eef31a08b06bf75ce18bc09",
+			"category": "Insecure Configurations",
+			"severity": "high",
+			"cve": "e39585b20c16c0572248582507377add8cfe002b6eef31a08b06bf75ce18bc09",
+			"scanner": {
+				"id": "keeping_infrastructure_as_code_secure",
+				"name": "Keeping Infrastructure as Code Secure"
+			},
+			"name": "Cluster Allows Unsafe Sysctls",
+			"message": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an unsafe sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.",
+			"links": [
+				{
+					"url": "https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/"
+				}
+			],
+			"location": {
+				"file": "assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive.yaml",
+				"start_line": 8,
+				"end_line": 8
+			},
+			"identifiers": [
+				{
+					"type": "kics",
+					"name": "Keeping Infrastructure as Code Secure",
+					"url": "https://docs.kics.io/latest/queries/kubernetes-queries",
+					"value": "9127f0d9-2310-42e7-866f-5fd9d20dcbad"
+				}
+			]
+		}
+	]
+}
diff --git a/reports/kics-result.html b/reports/kics-result.html
@@ -0,0 +1,24 @@
+<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>KICS Scan Result</title><style>*{margin:0;padding:0;outline:0;box-sizing:border-box}body{font-family:sans-serif}.container{display:flex;align-items:center;flex-direction:column;margin:5px;border:1px solid #bebebe}.run-info{display:flex;flex-wrap:wrap;border:1px solid #bebebe;margin-top:10px;width:50vw}.run-info>span{flex-basis:50%;text-align:center}.counters{display:flex;flex-direction:row;margin:22px 0}.report-header-footer{display:flex;flex-direction:row;justify-content:space-between;border-bottom:1px solid #bebebe;width:100%;padding:15px 21px;background-color:#503e9e;height:50px;font-weight:700;font-size:14px;color:#fff;cursor:default;user-select:none}.report-header-footer>a{color:inherit;text-decoration:inherit}.report-header-footer>.title{font-size:18px}.report-header-footer>.title>span{color:#000}.report-header-footer>.timestamp{font-weight:400;font-style:italic;opacity:.5}.severity{display:flex;flex-direction:column;cursor:pointer;position:relative;margin:0 22px;align-items:center}.severity>.caption.selected{text-decoration:underline overline}.badge{color:#fff;border:2px solid #e8e8e8;border-radius:50%;cursor:default;user-select:none;padding:3px;font-size:10px;display:flex;align-items:center;justify-content:center;width:30px;height:30px;position:absolute;left:60%;top:50%}.kics-orange{color:#fc6e3a}.kics-orange>svg{fill:#fc6e3a}.kics-orange~.badge{background-color:#503e9e}.kics-purple{color:#503e9e}.kics-purple>svg{fill:#503e9e}.kics-purple~.badge{background-color:#fc6e3a}.severity>.icon>svg{width:80px;height:auto}.severity>.caption{font-size:16px;font-weight:bolder;user-select:none;cursor:default}.separator{border-top:1px solid #979797;opacity:.5;width:95%;margin:22px 0}.query{width:95vw}.query-title{display:flex;align-items:flex-start;flex-direction:column;width:100%}.query-title>h2{display:flex}.query-title>h2>div{width:20px;margin-right:12px;margin-left:-30px}.query>*{margin-left:30px}.query-info{display:flex;flex-direction:column;justify-content:space-between}.query-details{margin:12px 0;display:flex;flex-direction:column}.query-details>span:first-child{font-size:18px}.query-details>span:last-child{font-size:14px}.vulnerable-info{border:1px #969696 solid;border-radius:2px;display:flex;flex-direction:column;margin:6px 9px}.vulnerable-info-header{display:flex;flex-direction:row;justify-content:space-between;margin:6px 9px}.vulnerable-info-details{display:flex;flex-direction:column;margin:6px 9px}.vulnerable-info-details>span>strong{width:5vw}.code-box{display:flex;flex-direction:column;background-color:#503e9e10}.code-line{display:flex;flex-direction:row;align-items:center;height:20px}.code-box>.error{background-color:#fc6e3a50}.code-line>.code-line-counter{font-size:10px;margin-left:9px;margin-right:10vw}.code-line>.code{font-family:monospace;font-size:16px}.kics-message{margin:24px 30vw;text-align:center}.love{color:#503e9d;font-style:italic}.social-networks{display:flex;flex-direction:row;align-items:center;justify-content:center;margin-bottom:24px}.social-networks>a{margin:0 15px}.social-networks>a>div>svg{width:20px;height:20px}.footer-text{font-style:italic;opacity:.5;font-weight:400;width:100%;display:flex;align-self:center;justify-content:center}a.checkmarx,a.checkmarx:visited,a.checkmarx:hover,a.checkmarx:active{cursor:pointer;font-weight:700;text-decoration:underline;color:#fff;opacity:.8}.hide{display:none}summary{cursor:pointer;user-select:none;font-size:18px;font-weight:700}</style><script>function filter(a){const b=document.querySelectorAll("[data-type='severity']");b.forEach(b=>a!=="TOTAL"&&a!==b.getAttribute("data-name")?b.classList.add("hide"):b.classList.remove("hide"));const c=document.querySelectorAll(".severity > .caption");c.forEach(b=>a&&a===b.innerText?b.classList.add("selected"):b.classList.remove("selected"))}</script></head><body><div class="container"><div class="report-header-footer"><span class="title">KICS <span>REPORT</span></span><span class="timestamp">05/27/2021 17:18</span><a href="https://www.kics.io/" target="_blank">KICS.IO</a></div><div class="run-info"><span style="flex-basis:100%"><b>Scanned paths:</b> assets/queries/k8s/cluster_allows_unsafe_sysctls/</span>
+<span style="flex-basis:100%"><b>Platforms:</b> Kubernetes</span><span><b>Start time:</b> 17:18:56, May 27 2021</span>
+<span><b>End time:</b> 17:18:56, May 27 2021</span></div><h2 style="margin-top:41px" class="kics-orange">Vulnerabilities:</h2><div class="counters"><div class="severity" onclick="filter('HIGH')"><div class="kics-orange icon"><svg xmlns="http://www.w3.org/2000/svg" enable-background="new 0 0 24 24" height="24px" viewBox="0 0 24 24" width="24px" fill="#000000"><g><path d="M0,0h24v24H0V0z" fill="none"/></g><g><path d="M12,2L4,5v6.09c0,5.05,3.41,9.76,8,10.91c4.59-1.15,8-5.86,8-10.91V5L12,2z M13,16h-2v-2h2V16z M13,12h-2V7h2V12z"/></g></svg></div><span class="badge">2</span>
+<span class="caption">HIGH</span></div><div class="severity" onclick="filter('MEDIUM')"><div class="kics-orange icon"><svg xmlns="http://www.w3.org/2000/svg" enable-background="new 0 0 24 24" height="24px" viewBox="0 0 24 24" width="24px" fill="#000000"><g><path d="M0,0h24v24H0V0z" fill="none"/></g><g><g><path d="M12,2L4,5v6.09c0,5.05,3.41,9.76,8,10.91c4.59-1.15,8-5.86,8-10.91V5L12,2z M18,11.09c0,4-2.55,7.7-6,8.83 c-3.45-1.13-6-4.82-6-8.83v-4.7l6-2.25l6,2.25V11.09z"/><rect height="2" width="2" x="11" y="14"/><rect height="5" width="2" x="11" y="7"/></g></g></svg></div><span class="badge">0</span>
+<span class="caption">MEDIUM</span></div><div class="severity" onclick="filter('LOW')"><div class="kics-purple icon"><svg xmlns="http://www.w3.org/2000/svg" enable-background="new 0 0 24 24" height="24px" viewBox="0 0 24 24" width="24px" fill="#000000"><g><path d="M0,0h24v24H0V0z" fill="none"/></g><g><g><path d="M12,2L4,5v6.09c0,5.05,3.41,9.76,8,10.91c4.59-1.15,8-5.86,8-10.91V5L12,2z M18,11.09c0,4-2.55,7.7-6,8.83 c-3.45-1.13-6-4.82-6-8.83v-4.7l6-2.25l6,2.25V11.09z"/><rect height="2" width="2" x="11" y="14"/><rect height="5" width="2" x="11" y="7"/></g></g></svg></div><span class="badge">0</span>
+<span class="caption">LOW</span></div><div class="severity" onclick="filter('INFO')"><div class="kics-purple icon"><svg xmlns="http://www.w3.org/2000/svg" enable-background="new 0 0 24 24" height="24px" viewBox="0 0 24 24" width="24px" fill="#000000"><g><rect fill="none" height="24" width="24"/></g><g><g/><g><path d="M21,5l-9-4L3,5v6c0,5.55,3.84,10.74,9,12c2.3-0.56,4.33-1.9,5.88-3.71l-3.12-3.12c-1.94,1.29-4.58,1.07-6.29-0.64 c-1.95-1.95-1.95-5.12,0-7.07c1.95-1.95,5.12-1.95,7.07,0c1.71,1.71,1.92,4.35,0.64,6.29l2.9,2.9C20.29,15.69,21,13.38,21,11V5z"/><circle cx="12" cy="12" r="3"/></g></g></svg></div><span class="badge">0</span>
+<span class="caption">INFO</span></div><div class="severity" onclick="filter('TOTAL')"><div class="kics-orange icon"><svg xmlns="http://www.w3.org/2000/svg" enable-background="new 0 0 24 24" height="24px" viewBox="0 0 24 24" width="24px" fill="#000000"><g><rect fill="none" height="24" width="24"/></g><g><g/><g><path d="M21,5l-9-4L3,5v6c0,5.55,3.84,10.74,9,12c2.3-0.56,4.33-1.9,5.88-3.71l-3.12-3.12c-1.94,1.29-4.58,1.07-6.29-0.64 c-1.95-1.95-1.95-5.12,0-7.07c1.95-1.95,5.12-1.95,7.07,0c1.71,1.71,1.92,4.35,0.64,6.29l2.9,2.9C20.29,15.69,21,13.38,21,11V5z"/><circle cx="12" cy="12" r="3"/></g></g></svg></div><span class="badge">2</span>
+<span class="caption selected">TOTAL</span></div></div><div data-type="severity" data-name="HIGH"><hr class="separator"><div class="query"><div class="query-info"><div class="query-title"><h2><div class="kics-orange"><svg xmlns="http://www.w3.org/2000/svg" enable-background="new 0 0 24 24" height="24px" viewBox="0 0 24 24" width="24px" fill="#000000"><g><path d="M0,0h24v24H0V0z" fill="none"/></g><g><path d="M12,2L4,5v6.09c0,5.05,3.41,9.76,8,10.91c4.59-1.15,8-5.86,8-10.91V5L12,2z M13,16h-2v-2h2V16z M13,12h-2V7h2V12z"/></g></svg></div>Cluster Allows Unsafe Sysctls</h2><span><strong>Platform:</strong> Kubernetes</span>
+<span><strong>Category:</strong> Insecure Configurations</span></div><div class="query-details"><span>A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an unsafe sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.</span>
+<span><a href="https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/" target="_blank">https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/</a></span></div></div><details><summary>Results (2)</summary><div class="vulnerable-info"><div class="vulnerable-info-header"><strong>File: /home/felipea/projects/kics/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive.yaml</strong>
+<span>Line 23</span></div><div class="vulnerable-info-details"><span><strong>Expected:</strong> metadata.name=sysctl-psp.spec.allowedUnsafeSysctls is undefined</span>
+<span><strong>Found:</strong> metadata.name=sysctl-psp.spec.allowedUnsafeSysctls is defined</span></div><div class="code-box"><div class="code-line"><span class="code-line-counter">22</span><span class="code"> name: sysctl-psp</span></div><div class="code-line error"><span class="code-line-counter">23</span><span class="code">spec:</span></div><div class="code-line"><span class="code-line-counter">24</span><span class="code"> allowedUnsafeSysctls:</span></div></div></div><div class="vulnerable-info"><div class="vulnerable-info-header"><strong>File: /home/felipea/projects/kics/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive.yaml</strong>
+<span>Line 8</span></div><div class="vulnerable-info-details"><span><strong>Expected:</strong> metadata.name=sysctl-example.spec.securityContext.sysctls does not have an unsafe sysctl</span>
+<span><strong>Found:</strong> metadata.name=sysctl-example.spec.securityContext.sysctls has an unsafe sysctl</span></div><div class="code-box"><div class="code-line"><span class="code-line-counter">7</span><span class="code"> securityContext:</span></div><div class="code-line error"><span class="code-line-counter">8</span><span class="code"> sysctls:</span></div><div class="code-line"><span class="code-line-counter">9</span><span class="code"> - name: kernel.shm_rmid_forced</span></div></div></div></details></div></div><hr class="separator"><div class="kics-message">KICS is open and will always stay such. Both the scanning engine and the security queries are clear and open for the software development community.</div><div class="love">Spread the love:</div><div class="social-networks"><a href="https://github.com/Checkmarx/kics/" target="_blank"><div><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 20 20">
+    <g fill="none" fill-rule="evenodd">
+        <g fill="#626264" fill-rule="nonzero">
+            <g>
+                <g>
+                    <path d="M13.172 19.5c2-.688 3.633-1.898 4.898-3.633 1.266-1.734 1.899-3.695 1.899-5.883 0-1.312-.25-2.586-.75-3.82S18 3.844 17.062 2.906C16.125 1.97 15.04 1.25 13.806.75 12.57.25 11.297 0 9.985 0c-1.313 0-2.587.25-3.82.75-1.235.5-2.321 1.219-3.259 2.156C1.97 3.844 1.25 4.93.75 6.164.25 7.398 0 8.672 0 9.984c0 2.188.633 4.149 1.898 5.883 1.266 1.735 2.915 2.945 4.946 3.633.218.031.383-.008.492-.117.11-.11.164-.242.164-.399v-1.687c-1.156.25-2.063.094-2.719-.469-.294-.214-.497-.463-.608-.746l-.048-.145c-.125-.343-.297-.64-.516-.89-.125-.188-.265-.328-.421-.422L3 14.485c-.25-.188-.375-.329-.375-.422 0-.094.078-.141.234-.141l.235-.047c.406.031.781.219 1.125.563.15.124.26.25.33.374l.045.094c.406.656.937 1.016 1.593 1.078.407.032.86-.046 1.36-.234.062-.594.266-1.047.61-1.36-1.376-.156-2.407-.53-3.095-1.124-.968-.813-1.453-2.079-1.453-3.797 0-1.031.344-1.922 1.032-2.672-.125-.281-.188-.594-.188-.938-.062-.562.031-1.14.281-1.734h.282c.25 0 .546.063.89.188.5.187 1.032.468 1.594.843.781-.218 1.61-.328 2.484-.328.875 0 1.704.11 2.485.328.812-.531 1.515-.86 2.11-.984.26-.052.455-.072.585-.059l.07.012c.25.594.344 1.172.282 1.734 0 .344-.063.657-.188.938.688.75 1.031 1.64 1.031 2.672 0 1.75-.484 3.015-1.453 3.797-.719.593-1.75.968-3.094 1.125.438.406.657 1.03.657 1.875v2.718c0 .157.054.29.164.399.11.11.289.148.539.117z" transform="translate(-358 -1497) translate(0 1332) translate(358 165)"/>
+                </g>
+            </g>
+        </g>
+    </g>
+</svg></div></a></div><div class="report-header-footer"><span class="footer-text">The KICS project is powered by&nbsp;<a href="https://www.checkmarx.com/" class="checkmarx" target="_blank">Checkmarx</a>, global leader of Application Security Testing</span></div></div></body></html>