Skip to content

bug(openapi): scan report is reporting false positives analyzing OpenAPI v3 schema saying "content is undefined" #7330

New issue
New issue
Closed
Closed
bug(openapi): scan report is reporting false positives analyzing OpenAPI v3 schema saying "content is undefined"#7330
Labels
bugSomething isn't workingcommunityCommunity contributiondockerDocker queryopenapiOpenAPI queryqueryNew query feature
@malkomich

Description

@malkomich
malkomich
opened on Feb 3, 2025

I am using the good practice of reusing responses in my OpenAPI spec, which format is defined here.
So every scheme for my path responses is well defined inside my components/responses section.

When I am executing the scan with the following command:

docker run --rm -v "$(pwd):/workdir" \
  checkmarx/kics:latest \
  scan \
    -p /workdir \
    -o /workdir/sast-reports \
    --report-formats json \
    --output-name sast-iac-report

I am getting the query "Response on operations that should have a body has undefined schema (v3)" incorrectly reported on every responses in my OpenAPI spec.

This is an example of what I am getting in the JSON report from SAST:

{
	"query_name": "Response on operations that should have a body has undefined schema (v3)",
	"query_id": "a92be1d5-d762-484a-86d6-8cd0907ba100",
	"query_url": "https://swagger.io/docs/specification/describing-responses/",
	"severity": "MEDIUM",
	"platform": "OpenAPI",
	"cwe": "665",
	"cloud_provider": "COMMON",
	"category": "Networking and Firewall",
	"experimental": false,
	"description": "If a response is not head or its code is not 204 or 304, it should have a schema defined",
	"description_id": "eaff445e",
	"files": [
		{
			"file_name": "<path_to_my_openapi_spec>/spec.yaml",
			"similarity_id": "e08dcd3c1ce5c29d67f5bf23b68c33cb39476382ecb9dc34e9fab41b95ffb0c7",
			"line": 60,
			"issue_type": "MissingAttribute",
			"search_key": "paths./<my_endpoint>.post.responses.500",
			"search_line": -1,
			"search_value": "",
			"expected_value": "paths./<my_endpoint>.post.responses.500.content should be defined",
			"actual_value": "paths./<my_endpoint>.post.responses.500.content is undefined"
		},
        .....
        ]
}

Expected Behavior

KICS is identifying the $ref reference, so the scan finds the required fields inside the defined response component.

Actual Behavior

KICS is not identifying the $ref reference, so the scan reports issues for not having a well defined schema on response codes which should have a body.

Steps to Reproduce the Problem

  1. Define in your OpenAPI spec a response to be reused:
components
  responses:
    CustomResponse:
      description: Custom response with a well defined schema.
      content:
        application/json:
          schema:
            $ref: "#/components/schemas/ErrorResponse"
  1. Define in your OpenAPI spec a path reusing a response defined in your component responses:
paths
  /path1:
    post:
      responses:
        "401":
          $ref: "#/components/responses/CustomResponse"
  1. Run the scan command
  2. Check the unexpected issue query inside the JSON report.

Specifications

  • Version: v2.1.4
  • Platform: Linux
  • Subsystem: Ubuntu

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingcommunityCommunity contributiondockerDocker queryopenapiOpenAPI queryqueryNew query feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions