Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specifying TERRAFORM_KICS_ARGUMENTS breaks kics #1947

Closed
d-mankowski-synerise opened this issue Oct 8, 2022 · 6 comments · Fixed by #1950
Closed

Specifying TERRAFORM_KICS_ARGUMENTS breaks kics #1947

d-mankowski-synerise opened this issue Oct 8, 2022 · 6 comments · Fixed by #1950
Labels
bug Something isn't working

Comments

@d-mankowski-synerise
Copy link

d-mankowski-synerise commented Oct 8, 2022
edited
Loading

Describe the bug
Adding any CLI args to kics causes it to fail.

To Reproduce
Steps to reproduce the behavior:

  • specify TERRAFORM_KICS_ARGUMENTS: --minimal-ui --no-progress --type ansible
  • enable linter: ENABLE_LINTERS: TERRAFORM_KICS
  • run megalint

Screenshots
Check the last line.

❌ Linted [TERRAFORM] files with [kics]: Found 36 error(s) - (6.35s) (expand for details)
- Using [kics v1.6.1] https://oxsecurity.github.io/megalinter/latest/descriptors/terraform_kics
- MegaLinter key: [TERRAFORM_KICS]
- Rules config: identified by [kics]
- Number of files analyzed: [36]
[kics] .ansible-lint - ERROR - 1 error(s)
--Error detail:
                   .0MO.                                    
                   OMMMx                                    
                   ;NMX;                                    
                    ...           ...              ....     
WMMMd     cWMMM0.  KMMMO      ;xKWMMMMNOc.     ,xXMMMMMWXkc.
WMMMd   .0MMMN:    KMMMO    :XMMMMMMMMMMMWl   xMMMMMWMMMMMMl
WMMMd  lWMMMO.     KMMMO   xMMMMKc...'lXMk   ,MMMMx   .;dXx 
WMMMd.0MMMX;       KMMMO  cMMMMd        '    'MMMMNl'       
WMMMNWMMMMl        KMMMO  0MMMN               oMMMMMMMXkl.  
WMMMMMMMMMMo       KMMMO  0MMMX                .ckKWMMMMMM0.
WMMMMWokMMMMk      KMMMO  oMMMMc              .     .:OMMMM0
WMMMK.  dMMMM0.    KMMMO   KMMMMx'    ,kNc   :WOc.    .NMMMX
WMMMd    cWMMMX.   KMMMO    kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd     ,NMMMN,  KMMMO     'xNMMMMMMMNx,   .l0WMMMMMMMWk, 
xkkk:      ,kkkkx  okkkl        ;xKXKx;          ;dOKKkc    
Scanning with Keeping Infrastructure as Code Secure v1.6.1
Error: stat /builds/Infrastructure/ansible-scylladb/--minimal-ui: no such file or directory

Additional context
It seems like it iterates over every file in directory, but instead of passing path to file to scan, it passes first arg provided.

Running kics via standole docker image is fine:

❯ docker run -t -v $(pwd):/path checkmarx/kics scan -p /path --minimal-ui --no-progress


                   .0MO.                                    
                   OMMMx                                    
                   ;NMX;                                    
                    ...           ...              ....     
WMMMd     cWMMM0.  KMMMO      ;xKWMMMMNOc.     ,xXMMMMMWXkc.
WMMMd   .0MMMN:    KMMMO    :XMMMMMMMMMMMWl   xMMMMMWMMMMMMl
WMMMd  lWMMMO.     KMMMO   xMMMMKc...'lXMk   ,MMMMx   .;dXx 
WMMMd.0MMMX;       KMMMO  cMMMMd        '    'MMMMNl'       
WMMMNWMMMMl        KMMMO  0MMMN               oMMMMMMMXkl.  
WMMMMMMMMMMo       KMMMO  0MMMX                .ckKWMMMMMM0.
WMMMMWokMMMMk      KMMMO  oMMMMc              .     .:OMMMM0
WMMMK.  dMMMM0.    KMMMO   KMMMMx'    ,kNc   :WOc.    .NMMMX
WMMMd    cWMMMX.   KMMMO    kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd     ,NMMMN,  KMMMO     'xNMMMMMMMNx,   .l0WMMMMMMMWk, 
xkkk:      ,kkkkx  okkkl        ;xKXKx;          ;dOKKkc    


Scanning with Keeping Infrastructure as Code Secure v1.6.1



Files scanned: 23
Parsed files: 23
Queries loaded: 280
Queries failed to execute: 0

------------------------------------

Passwords And Secrets - Generic Password, Severity: HIGH, Results: 3
        [1]: ../../path/defaults/main.yml:48
        [2]: ../../path/tasks/configure_root_role.yml:19
        [3]: ../../path/tasks/configure_root_role.yml:11

------------------------------------ MegaLinter, by OX Security ------------------------------------
----------------------------------------------------------------------------------------------------
 - Image Creation Date: 2022-10-03T06:14:22Z
 - Image Revision: 88a858e
 - Image Version: v6
@d-mankowski-synerise d-mankowski-synerise added the bug Something isn't working label Oct 8, 2022
@nvuillam
Copy link
Member

nvuillam commented Oct 8, 2022

Please can you try the following config and paste the result ?

TERRAFORM_KICS_ARGUMENTS: ["--minimal-ui", "--no-progress", "--type", "ansible"]
LOG_LEVEL: DEBUG

@d-mankowski-synerise
Copy link
Author

d-mankowski-synerise commented Oct 8, 2022
edited
Loading

I trimmed output a bit, but we can clearly see, that the order is wrong and --path should be after extra args:

[kics] command: ['kics', 'scan', '--path', '--minimal-ui', '--no-progress', '--type', 'ansible', '/builds/Infrastructure/ansible-scylladb/.ansible-lint']

TERRAFORM_KICS_ARGUMENTS=['--minimal-ui', '--no-progress', '--type', 'ansible']
TERRAFORM_KICS_FILE_EXTENSIONS=['*']
YAML_YAMLLINT_CONFIG_FILE=.yamllint.yml
_=/usr/local/bin/python
----------------------------------------------------------------------------------------------------
[Pre] No commands declared in user configuration
MARKDOWN_REMARK_LINT has been temporary disabled in MegaLinter, please use a previous MegaLinter version or wait for the next one !
Skipped linters: ACTION_ACTIONLINT, ANSIBLE_ANSIBLE_LINT, ARM_ARM_TTK, BASH_EXEC, BASH_SHELLCHECK, BASH_SHFMT, BICEP_BICEP_LINTER, CLOJURE_CLJ_KONDO, CLOUDFORMATION_CFN_LINT, COFFEE_COFFEELINT, COPYPASTE_JSCPD, CPP_CPPLINT, CSHARP_DOTNET_FORMAT, CSS_SCSS_LINT, CSS_STYLELINT, C_CPPLINT, DART_DARTANALYZER, DOCKERFILE_HADOLINT, EDITORCONFIG_EDITORCONFIG_CHECKER, ENV_DOTENV_LINTER, GHERKIN_GHERKIN_LINT, GO_GOLANGCI_LINT, GO_REVIVE, GRAPHQL_GRAPHQL_SCHEMA_LINTER, GROOVY_NPM_GROOVY_LINT, HTML_DJLINT, HTML_HTMLHINT, JAVASCRIPT_ES, JAVASCRIPT_PRETTIER, JAVASCRIPT_STANDARD, JAVA_CHECKSTYLE, JAVA_PMD, JSON_ESLINT_PLUGIN_JSONC, JSON_JSONLINT, JSON_PRETTIER, JSON_V8R, JSX_ESLINT, KOTLIN_KTLINT, KUBERNETES_KUBECONFORM, KUBERNETES_KUBEVAL, LATEX_CHKTEX, LUA_LUACHECK, MAKEFILE_CHECKMAKE, MARKDOWN_MARKDOWNLINT, MARKDOWN_MARKDOWN_LINK_CHECK, MARKDOWN_MARKDOWN_TABLE_FORMATTER, MARKDOWN_REMARK_LINT, OPENAPI_SPECTRAL, PERL_PERLCRITIC, PHP_PHPCS, PHP_PHPLINT, PHP_PHPSTAN, PHP_PSALM, POWERSHELL_POWERSHELL, PROTOBUF_PROTOLINT, PUPPET_PUPPET_LINT, PYTHON_BANDIT, PYTHON_BLACK, PYTHON_FLAKE8, PYTHON_ISORT, PYTHON_MYPY, PYTHON_PYLINT, PYTHON_PYRIGHT, RAKU_RAKU, REPOSITORY_CHECKOV, REPOSITORY_DEVSKIM, REPOSITORY_DUSTILOCK, REPOSITORY_GITLEAKS, REPOSITORY_GIT_DIFF, REPOSITORY_GOODCHECK, REPOSITORY_SECRETLINT, REPOSITORY_SEMGREP, REPOSITORY_SYFT, REPOSITORY_TRIVY, RST_RSTCHECK, RST_RST_LINT, RUBY_RUBOCOP, RUST_CLIPPY, R_LINTR, SALESFORCE_SFDX_SCANNER_APEX, SALESFORCE_SFDX_SCANNER_AURA, SALESFORCE_SFDX_SCANNER_LWC, SCALA_SCALAFIX, SNAKEMAKE_LINT, SNAKEMAKE_SNAKEFMT, SPELL_CSPELL, SPELL_MISSPELL, SPELL_PROSELINT, SQL_SQLFLUFF, SQL_SQL_LINT, SQL_TSQLLINT, SWIFT_SWIFTLINT, TEKTON_TEKTON_LINT, TERRAFORM_CHECKOV, TERRAFORM_TERRAFORM_FMT, TERRAFORM_TERRAGRUNT, TERRAFORM_TERRASCAN, TERRAFORM_TFLINT, TSX_ESLINT, TYPESCRIPT_ES, TYPESCRIPT_PRETTIER, TYPESCRIPT_STANDARD, VBDOTNET_DOTNET_FORMAT, XML_XMLLINT, YAML_PRETTIER, YAML_V8R, YAML_YAMLLINT
To receive reports as email, please set variable EMAIL_REPORTER_EMAIL
MegaLinter now collects the files to analyse (expand for details)
Listing all files in directory [/builds/Infrastructure/ansible-scylladb], then filter with:
Root dir content:
- /builds/Infrastructure/ansible-scylladb/.ansible-lint
- /builds/Infrastructure/ansible-scylladb/.gitignore
- /builds/Infrastructure/ansible-scylladb/.gitlab-ci.yml
All found files before filtering:
- /builds/Infrastructure/ansible-scylladb/.ansible-lint
- /builds/Infrastructure/ansible-scylladb/.gitignore
- /builds/Infrastructure/ansible-scylladb/.gitlab-ci.yml
- File extensions: *
Popen(['git', 'ls-files', '--exclude-standard', '--ignored', '--others', '--cached'], cwd=/builds/Infrastructure/ansible-scylladb, universal_newlines=False, shell=None, istream=None)
- Excluding .gitignored files [0]: 
Kept [36] files on [36] found files
Kept files before applying linter filters:
- /builds/Infrastructure/ansible-scylladb/.ansible-lint
- /builds/Infrastructure/ansible-scylladb/.gitignore
- /builds/Infrastructure/ansible-scylladb/.gitlab-ci.yml
[Filters] {'name': 'TERRAFORM_KICS', 'filter_regex_include': None, 'filter_regex_exclude': None, 'files_sub_directory': None, 'lint_all_files': False, 'lint_all_other_linters_files': False, 'file_extensions': ['*'], 'file_names_regex': [], 'file_names_not_ends_with': [], 'file_contains_regex': []}
TERRAFORM_KICS linter kept 36 files after applying linter filters:
- /builds/Infrastructure/ansible-scylladb/.ansible-lint
- /builds/Infrastructure/ansible-scylladb/.gitignore
+----MATCHING LINTERS-+----------+----------------+------------+
| Descriptor | Linter | Criteria | Matching files | Format/Fix |
+------------+--------+----------+----------------+------------+
| TERRAFORM  | kics   | *        | 36             | no         |
+------------+--------+----------+----------------+------------+
MegaLinter flavor is "all", no need to check match with linters
[kics] command: ['kics', 'scan', '--path', '--minimal-ui', '--no-progress', '--type', 'ansible', '/builds/Infrastructure/ansible-scylladb/.ansible-lint']
[kics] CWD: /builds/Infrastructure/ansible-scylladb
[kics] result: 126 
                   .0MO.                                    
                   OMMMx                                    
                   ;NMX;                                    
                    ...           ...              ....     
WMMMd     cWMMM0.  KMMMO      ;xKWMMMMNOc.     ,xXMMMMMWXkc.
WMMMd   .0MMMN:    KMMMO    :XMMMMMMMMMMMWl   xMMMMMWMMMMMMl
WMMMd  lWMMMO.     KMMMO   xMMMMKc...'lXMk   ,MMMMx   .;dXx 
WMMMd.0MMMX;       KMMMO  cMMMMd        '    'MMMMNl'       
WMMMNWMMMMl        KMMMO  0MMMN               oMMMMMMMXkl.  
WMMMMMMMMMMo       KMMMO  0MMMX                .ckKWMMMMMM0.
WMMMMWokMMMMk      KMMMO  oMMMMc              .     .:OMMMM0
WMMMK.  dMMMM0.    KMMMO   KMMMMx'    ,kNc   :WOc.    .NMMMX
WMMMd    cWMMMX.   KMMMO    kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd     ,NMMMN,  KMMMO     'xNMMMMMMMNx,   .l0WMMMMMMMWk, 
xkkk:      ,kkkkx  okkkl        ;xKXKx;          ;dOKKkc    
Scanning with Keeping Infrastructure as Code Secure v1.6.1
Error: stat /builds/Infrastructure/ansible-scylladb/--minimal-ui: no such file or directory
Usage:
  kics scan [flags]

nvuillam added a commit that referenced this issue Oct 8, 2022
@nvuillam
Fix use of TERRAFORM_KICS_ARGUMENTS
3c0509c 
Fixes #1947
@nvuillam nvuillam mentioned this issue Oct 8, 2022
Merged
@d-mankowski-synerise
Copy link
Author

d-mankowski-synerise commented Oct 8, 2022
edited
Loading

As a side note, it seems that this passes one file at once to kics, right? This could be improved, by joining all paths to files with a comma, as the manual shows:

  -p, --path strings                  paths or directories to scan
                                      example: "./somepath,somefile.txt"

@nvuillam
Copy link
Member

nvuillam commented Oct 8, 2022

That's indeed not very optimized
I think that we can keep such update for the switch to REPOSITORY descriptor, where we'll use cli_lint_mode: project by default so it will run on the full directory and not on a file or a list of files

@d-mankowski-synerise
Copy link
Author

Sounds good, but what about the case when user would specify, for example, KICS_FILE_EXTENSIONS: .yml?

@nvuillam
Copy link
Member

nvuillam commented Oct 8, 2022

We'll see after my PR is merged ^^

nvuillam added a commit that referenced this issue Oct 8, 2022
@nvuillam
Fix use of TERRAFORM_KICS_ARGUMENTS (#1950)
66b5c3d 
* [automation] Auto-update linters version, help and documentation

* Downgrade ansible-lint

* Use -p argument for pyright custom config file path

Fixes #1946

* changelog

* Fix use of TERRAFORM_KICS_ARGUMENTS

Fixes #1947

* [automation] Auto-update linters version, help and documentation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix use of TERRAFORM_KICS_ARGUMENTS oxsecurity/megalinter
2 participants
@nvuillam @d-mankowski-synerise