Merge pull request #6845 from Checkmarx/cwe

feat(cwe): add cwe into sarif report and KICS CLI results
Checkmarx · Feb 6, 2024 · 730aa82 · 730aa82
2 parents 1256cf4 + 1fafda4
commit 730aa82
Show file tree

Hide file tree

Showing 39 changed files with 2,264 additions and 122 deletions.
diff --git a/.gitignore b/.gitignore
@@ -42,6 +42,8 @@ junit-results.xml
 
 # Sarif files
 *.sarif
+!e2e/fixtures/E2E_CLI_079_RESULT.sarif
+!e2e/fixtures/E2E_CLI_080_RESULT.sarif
 
 # coverage report
 coverage.html

diff --git a/Dockerfile b/Dockerfile
@@ -38,7 +38,7 @@ FROM alpine:3.19
 ENV TERM xterm-256color
 
 # Install additional components from Alpine
-Run apk update --no-cache \
+RUN apk update --no-cache \
     && apk add --no-cache \
     gcompat~=1.1.0 \
     git~=2.43
@@ -66,6 +66,7 @@ RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.
 # kics-scan ignore-line
 COPY --from=build_env /app/bin/kics /app/bin/kics
 COPY --from=build_env /app/assets/queries /app/bin/assets/queries
+COPY --from=build_env /app/assets/cwe_csv /app/bin/assets/cwe_csv
 COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/
 
 WORKDIR /app/bin

diff --git a/assets/cwe_csv/Software-Development-CWE.csv b/assets/cwe_csv/Software-Development-CWE.csv
diff --git a/assets/cwe_csv/cwe_taxonomies_latest.json b/assets/cwe_csv/cwe_taxonomies_latest.json
@@ -0,0 +1,21 @@
+{
+"taxonomies": 
+    {
+        "downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.13.xml.zip",
+        "guid": "1489b0c4-d7ce-4d31-af66-6382a01202e3",
+        "informationUri": "https://cwe.mitre.org/data/published/cwe_v4.13.pdf",
+        "isComprehensive": true,
+        "language": "en",
+        "minimumRequiredLocalizedDataSemanticVersion": "4.13",
+        "name": "CWE",
+        "organization": "MITRE",
+        "releaseDateUtc": "2023-10-26",
+        "shortDescription": {
+            "text": "The MITRE Common Weakness Enumeration"
+        },
+        "fullDescription": {
+            "text": "The MITRE Common Weakness Enumeration"
+        },
+        "taxa": []
+    }
+}
diff --git a/docker/Dockerfile.apispec b/docker/Dockerfile.apispec
@@ -56,6 +56,7 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com
 COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi
 COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI
 COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common
+COPY --from=build_env /app/assets/cwe_csv /app/bin/assets/cwe_csv
 
 WORKDIR /app/bin
 

diff --git a/docker/Dockerfile.apispec.debian b/docker/Dockerfile.apispec.debian
@@ -70,6 +70,7 @@ COPY --from=build_env /app/assets/libraries/common /app/bin/assets/libraries/com
 COPY --from=build_env /app/assets/libraries/openapi /app/bin/assets/libraries/openapi
 COPY --from=build_env /app/assets/queries/openAPI /app/bin/assets/queries/openAPI
 COPY --from=build_env /app/assets/queries/common /app/bin/assets/queries/common
+COPY --from=build_env /app/assets/cwe_csv /app/bin/assets/cwe_csv
 
 WORKDIR /app/bin
 

diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian
@@ -68,6 +68,7 @@ RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d
 
 COPY --from=build_env /app/bin/kics /app/bin/kics
 COPY --from=build_env /app/assets/queries /app/bin/assets/queries
+COPY --from=build_env /app/assets/cwe_csv /app/bin/assets/cwe_csv
 COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/
 
 WORKDIR /app/bin

diff --git a/e2e/fixtures/E2E_CLI_079_RESULT.sarif b/e2e/fixtures/E2E_CLI_079_RESULT.sarif
@@ -0,0 +1,306 @@
+{
+	"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+	"version": "2.1.0",
+	"runs": [
+		{
+			"tool": {
+				"driver": {
+					"name": "KICS",
+					"version": "development",
+					"fullName": "Keeping Infrastructure as Code Secure",
+					"informationUri": "https://www.kics.io/",
+					"rules": [
+						{
+							"id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+							"name": "Run Block Injection",
+							"shortDescription": {
+								"text": "Run Block Injection"
+							},
+							"fullDescription": {
+								"text": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event."
+							},
+							"defaultConfiguration": {
+								"level": "error"
+							},
+							"helpUri": "https://securitylab.github.com/research/github-actions-untrusted-input/",
+							"relationships": [
+								{
+									"target": {
+										"id": "CAT007",
+										"index": 14,
+										"toolComponent": {
+											"name": "Categories",
+											"guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f"
+										}
+									}
+								},
+								{
+									"target": {
+										"id": "22",
+										"guid": "81713b3d-740e-4d67-8003-27068b8214b4",
+										"toolComponent": {
+											"name": "CWE",
+											"guid": "1489b0c4-d7ce-4d31-af66-6382a01202e3"
+										}
+									}
+								}
+							]
+						}
+					]
+				}
+			},
+			"results": [
+				{
+					"ruleId": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+					"ruleIndex": 0,
+					"kind": "fail",
+					"message": {
+						"text": "Run block contains dangerous input controlled by user.",
+						"properties": {
+							"platform": "CICD"
+						}
+					},
+					"locations": [
+						{
+							"physicalLocation": {
+								"artifactLocation": {
+									"uri": "path\\test\\fixtures\\test_sarif_cwe_report\\run_block_injection\\test\\positive1.yaml"
+								},
+								"region": {
+									"startLine": 10
+								}
+							}
+						}
+					]
+				},
+				{
+					"ruleId": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+					"ruleIndex": 0,
+					"kind": "fail",
+					"message": {
+						"text": "Run block contains dangerous input controlled by user.",
+						"properties": {
+							"platform": "CICD"
+						}
+					},
+					"locations": [
+						{
+							"physicalLocation": {
+								"artifactLocation": {
+									"uri": "path\\test\\fixtures\\test_sarif_cwe_report\\run_block_injection\\test\\positive1.yaml"
+								},
+								"region": {
+									"startLine": 10
+								}
+							}
+						}
+					]
+				}
+			],
+			"taxonomies": [
+				{
+					"guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f",
+					"name": "Categories",
+					"fullDescription": {
+						"text": "This taxonomy contains the types an issue can assume"
+					},
+					"shortDescription": {
+						"text": "Vulnerabilities categories"
+					},
+					"taxa": [
+						{
+							"name": "Undefined Category",
+							"id": "CAT000",
+							"shortDescription": {
+								"text": "Category is not defined"
+							},
+							"fullDescription": {
+								"text": "Category is not defined"
+							}
+						},
+						{
+							"name": "Insecure Defaults",
+							"id": "CAT008",
+							"shortDescription": {
+								"text": "Configurations that are insecure by default"
+							},
+							"fullDescription": {
+								"text": "Configurations that are insecure by default"
+							}
+						},
+						{
+							"name": "Structure and Semantics",
+							"id": "CAT014",
+							"shortDescription": {
+								"text": "Malformed document structure or inadequate semantics"
+							},
+							"fullDescription": {
+								"text": "Malformed document structure or inadequate semantics"
+							}
+						},
+						{
+							"name": "Availability",
+							"id": "CAT002",
+							"shortDescription": {
+								"text": "Reliability and Scalability"
+							},
+							"fullDescription": {
+								"text": "Reliability and Scalability"
+							}
+						},
+						{
+							"name": "Build Process",
+							"id": "CAT005",
+							"shortDescription": {
+								"text": "Insecure configurations when building/deploying"
+							},
+							"fullDescription": {
+								"text": "Insecure configurations when building/deploying"
+							}
+						},
+						{
+							"name": "Secret Management",
+							"id": "CAT012",
+							"shortDescription": {
+								"text": "Secret and Key management"
+							},
+							"fullDescription": {
+								"text": "Secret and Key management"
+							}
+						},
+						{
+							"name": "Supply-Chain",
+							"id": "CAT013",
+							"shortDescription": {
+								"text": "Dependency version management"
+							},
+							"fullDescription": {
+								"text": "Dependency version management"
+							}
+						},
+						{
+							"name": "Backup",
+							"id": "CAT003",
+							"shortDescription": {
+								"text": "Survivability and Recovery"
+							},
+							"fullDescription": {
+								"text": "Survivability and Recovery"
+							}
+						},
+						{
+							"name": "Encryption",
+							"id": "CAT006",
+							"shortDescription": {
+								"text": "Data Security and Encryption configuration"
+							},
+							"fullDescription": {
+								"text": "Data Security and Encryption configuration"
+							}
+						},
+						{
+							"name": "Observability",
+							"id": "CAT010",
+							"shortDescription": {
+								"text": "Logging and Monitoring"
+							},
+							"fullDescription": {
+								"text": "Logging and Monitoring"
+							}
+						},
+						{
+							"name": "Bill Of Materials",
+							"id": "CAT015",
+							"shortDescription": {
+								"text": "List of resources provisioned"
+							},
+							"fullDescription": {
+								"text": "List of resources provisioned"
+							}
+						},
+						{
+							"name": "Access Control",
+							"id": "CAT001",
+							"shortDescription": {
+								"text": "Service permission and identity management"
+							},
+							"fullDescription": {
+								"text": "Service permission and identity management"
+							}
+						},
+						{
+							"name": "Best Practices",
+							"id": "CAT004",
+							"shortDescription": {
+								"text": "Metadata management"
+							},
+							"fullDescription": {
+								"text": "Metadata management"
+							}
+						},
+						{
+							"name": "Resource Management",
+							"id": "CAT011",
+							"shortDescription": {
+								"text": "Resource and privilege limit configuration"
+							},
+							"fullDescription": {
+								"text": "Resource and privilege limit configuration"
+							}
+						},
+						{
+							"name": "Insecure Configurations",
+							"id": "CAT007",
+							"shortDescription": {
+								"text": "Configurations which expose the application unnecessarily"
+							},
+							"fullDescription": {
+								"text": "Configurations which expose the application unnecessarily"
+							}
+						},
+						{
+							"name": "Networking and Firewall",
+							"id": "CAT009",
+							"shortDescription": {
+								"text": "Network port exposure and firewall configuration"
+							},
+							"fullDescription": {
+								"text": "Network port exposure and firewall configuration"
+							}
+						}
+					]
+				},
+				{
+					"guid": "1489b0c4-d7ce-4d31-af66-6382a01202e3",
+					"name": "CWE",
+					"fullDescription": {
+						"text": "The MITRE Common Weakness Enumeration"
+					},
+					"shortDescription": {
+						"text": "The MITRE Common Weakness Enumeration"
+					},
+					"downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.13.xml.zip",
+					"informationUri": "https://cwe.mitre.org/data/published/cwe_v4.13.pdf",
+					"isComprehensive": true,
+					"language": "en",
+					"minimumRequiredLocalizedDataSemanticVersion": "4.13",
+					"organization": "MITRE",
+					"releaseDateUtc": "2023-10-26",
+					"taxa": [
+						{
+							"guid": "81713b3d-740e-4d67-8003-27068b8214b4",
+							"id": "22",
+							"shortDescription": {
+								"text": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory."
+							},
+							"fullDescription": {
+								"text": "Many file operations are intended to take place within a restricted directory. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as /usr/local/bin, which may also be useful in accessing unexpected files. This is referred to as absolute path traversal. In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the product may add .txt to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction."
+							},
+							"helpUri": "https://cwe.mitre.org/data/definitions/22.html"
+						}
+					]
+				}
+			]
+		}
+	]
+}