Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(kubernetes): inconsistent scan results for specific directory vs. entire project #7304

Open
haerter-tss opened this issue Dec 9, 2024 · 0 comments
Open

bug(kubernetes): inconsistent scan results for specific directory vs. entire project #7304

haerter-tss opened this issue Dec 9, 2024 · 0 comments
Labels
bug Something isn't working community Community contribution docker Docker query kubernetes Kubernetes query

Comments

@haerter-tss
Copy link

Expected Behavior

I have two folders that each contain a values.yaml and a Chart.yaml:

Project1/ui/values.yaml
Project1/ui/Chart.yaml
Project1/shared/values.yaml
Project1/shared/Chart.yaml

There is a high finding (CWE 798 Use of Hard-coded Credentials) in ui/values.yaml, this should be found when scanning the complete projectfolder Project1 as well as when only scanning Project1/ui.
When scanning everything I get a High finding in ui/values.yaml but when I only scan the ui folder the finding is missing.

Actual Behavior

When scanning the entire project directory the high severity finding is detected. However, when scanning the "ui" directory alone, the high severity finding in values.yaml is not detected

(Formatted logs and samples helps us to better understand the issue)

See attached Project1-results.json and ui-results.json. I also attached the sourcecode as ZIP file.

Steps to Reproduce the Problem

  1. Scan UI folder
    docker run -t -v "/home/user/Project1/ui":/path checkmarx/kics scan -p /path -o "/path/" --report-formats "json" --ci --exclude-categories "Best practices" --disable-full-descriptions
  2. Scan the entire project
    docker run -t -v "/home/user/Project1":/path checkmarx/kics scan -p /path -o "/path/" --report-formats "json" --ci --exclude-categories "Best practices" --disable-full-descriptions
  3. Compare the results of both scans

Specifications

  • Version: Keeping Infrastructure as Code Secure v2.1.3
  • Platform: Linux
  • Subsystem: Ubuntu 24.04 / Debian 12.7

code.zip
Project1-results.json
ui-results.json
@haerter-tss haerter-tss added bug Something isn't working community Community contribution labels Dec 9, 2024
@github-actions github-actions bot added docker Docker query kubernetes Kubernetes query labels Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Community contribution docker Docker query kubernetes Kubernetes query
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@haerter-tss