bug(openapi): false positive for query "Header Object Without Schema" on referenced header objects

[cureaid]

Expected Behavior

The "Header Object Without Schema" query should not generate a vulnerability if the header object has a schema and is referenced.

Actual Behavior

The "Header Object Without Schema" (50de3b5b-6465-4e06-a9b0-b4c2ba34326b) query generates a medium-level vulnerability.

Steps to Reproduce the Problem

Following openapi.yaml makes KICS find a "Header Object Without Schema" (50de3b5b-6465-4e06-a9b0-b4c2ba34326b) vulnerability:

openapi: "3.0.3"

info:
  title: Reproduce "Header Object Without Schema"
  version: 1.0.0

servers:
  - url: https://example.com/

security:
  - bearerAuth: []

paths:
  /test:
    get:
      responses:
        '200':
          description: Test
          headers:
            X-Test: { $ref: "#/components/headers/X-Test" }
          content:
            application/json:
              schema:
                type: string
                pattern: '^test$'

components:
  headers:
    X-Test:
      schema:
        type: string
        pattern: '^test$'

  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

Following openapi.yaml makes KICS not find a "Header Object Without Schema" (50de3b5b-6465-4e06-a9b0-b4c2ba34326b) vulnerability:

openapi: "3.0.3"

info:
  title: Reproduce "Header Object Without Schema"
  version: 1.0.0

servers:
  - url: https://example.com/

security:
  - bearerAuth: []

paths:
  /test:
    get:
      responses:
        '200':
          description: Test
          headers:
            X-Test:
              schema:
                type: string
                pattern: '^test$'
          content:
            application/json:
              schema:
                type: string
                pattern: '^test$'

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

Specifications

• Version: checkmarx/kics:v2.1.3@sha256:8b191adbd156038cfbc163fd1ab1b210c839bd9e065777287eadc8d267a60b9d
• Platform: Docker
• Subsystem: openapi

[cureaid]

Similar behavior appears with rule a92be1d5-d762-484a-86d6-8cd0907ba100 (Response on operations that should have a body has undefined schema (v3)). The content schema of the referenced response object is defined but KICS still shows an error.

[cx-andre-pereira]

Hi cureaid. Fortunately this issue can be solved by including the --enable-openapi-refs flag in the command used to scan the file. This is detailed in our documentation for the command line interface, the default value for this flag is false but it should be turned on for any OpenAPI sample that relies on $ref statements.

Thank you for your input ! Please try the --enable-openapi-refs flag that i mentioned to ensure the issue is also fixed on your end, in the meantime i will take this issue as resolved.