[kicsbot] Update queries catalog (#2935)

Co-authored-by: rogeriopeixotocx <[email protected]>
Checkmarx · Apr 21, 2021 · 813478d · 813478d
1 parent 623cb06
commit 813478d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md
@@ -894,10 +894,15 @@ This page contains all queries.
 |Field 'securityScheme' On Components Is Undefined<br/><sup><sub>8db5544e-4874-4baa-9322-e9f75a2d219e</sub></sup>|OpenAPI|<span style="color:#C00">High</span>|Access Control|Components' securityScheme field must have a valid scheme|<a href="https://swagger.io/specification/#security-scheme-object">Documentation</a><br/>|
 |Global security field has an empty object<br/><sup><sub>543e38f4-1eee-479e-8eb0-15257013aa0a</sub></sup>|OpenAPI|<span style="color:#C00">High</span>|Access Control|Global security definition must not have empty objects|<a href="https://swagger.io/specification/#security-requirement-object">Documentation</a><br/>|
 |No Global And Operation Security Defined<br/><sup><sub>96729c6b-7400-4d9e-9807-17f00cdde4d2</sub></sup>|OpenAPI|<span style="color:#C00">High</span>|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|<a href="https://swagger.io/specification/#security-requirement-object">Documentation</a><br/>|
+|Implicit Flow in OAuth2<br/><sup><sub>4a1f3d75-ab73-41b2-83e7-06a93dc3a75a</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Invalid OAuth2 Authorization URL<br/><sup><sub>52c0d841-60d6-4a81-88dd-c35fef36d315</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Invalid OAuth2 Token URL<br/><sup><sub>3ba0cca1-b815-47bf-ac62-1e584eb64a05</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Access Control| OAuth2 security scheme flow requires a valid URL in the tokenUrl field|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Path Server Object Uses HTTP<br/><sup><sub>9670f240-7b4d-4955-bd93-edaa9fa38b58</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|<a href="https://swagger.io/specification/#server-object">Documentation</a><br/>|
 |Global Server Object Uses HTTP<br/><sup><sub>2d8c175a-6d90-412b-8b0e-e034ea49a1fe</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Encryption|Global server object URL should use 'https' protocol instead of 'http'|<a href="https://swagger.io/specification/#server-object">Documentation</a><br/>|
+|Success Response Code Defined for Patch Operation<br/><sup><sub>1908a8ee-927d-4166-8f18-241152170cc1</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|<a href="https://swagger.io/specification/#operation-object">Documentation</a><br/>|
+|Success Response Code Defined for Put Operation<br/><sup><sub>60b5f56b-66ff-4e1c-9b62-5753e16825bc</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|<a href="https://swagger.io/specification/#operation-object">Documentation</a><br/>|
+|Success Response Code Defined for Delete Operation<br/><sup><sub>3b497874-ae59-46dd-8d72-1868a3b8f150</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|<a href="https://swagger.io/specification/#operation-object">Documentation</a><br/>|
+|Success Response Code Defined for Post Operation<br/><sup><sub>f368dd2d-9344-4146-a05b-7c6faa1269ad</sub></sup>|OpenAPI|<span style="color:#C60">Medium</span>|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|<a href="https://swagger.io/specification/#operation-object">Documentation</a><br/>|
 |Undefined Scope 'securityScheme' On Global 'security' Field<br/><sup><sub>23a9e2d9-8738-4556-a71c-2802b6ffa022</sub></sup>|OpenAPI|<span style="color:#CC0">Low</span>|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Undefined Scope 'securityScheme' On 'security' Field On Operations<br/><sup><sub>462d6a1d-fed9-4d75-bb9e-3de902f35e6e</sub></sup>|OpenAPI|<span style="color:#CC0">Low</span>|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Invalid Contact Email<br/><sup><sub>b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Best Practices|Contact Object Email should be a valid email|<a href="https://swagger.io/specification/#contact-object">Documentation</a><br/>|
@@ -908,10 +913,14 @@ This page contains all queries.
 |Response Object With Incorrect Ref<br/><sup><sub>b3871dd8-9333-4d6c-bd52-67eb898b71ab</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|Response Object reference must always point to '#components/responses'|<a href="https://swagger.io/specification/#responses-object">Documentation</a><br/>|
 |Servers Array Undefined<br/><sup><sub>c66ebeaa-676c-40dc-a3ff-3e49395dcd5e</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|<a href="https://swagger.io/specification/#server-object">Documentation</a><br/>|
 |Path Parameter Not Required<br/><sup><sub>0de50145-e845-47f4-9a15-23bcf2125710</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
+|Server URL Not Absolute<br/><sup><sub>a0bf7382-5d5a-4224-924c-3db8466026c9</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|The Server URL should be an absolute URL|<a href="https://swagger.io/specification/#server-object">Documentation</a><br/>|
+|Invalid Content Type For Multiple Files Upload<br/><sup><sub>26f06397-36d8-4ce7-b993-17711261d777</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|<a href="https://swagger.io/docs/specification/describing-request-body/file-upload/">Documentation</a><br/>|
 |Request Body With Incorrect Ref<br/><sup><sub>0f6cd0ab-c366-4595-84fc-fbd8b9901e4d</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|Request Body reference must always point to '#components/RequestBodies'|<a href="https://swagger.io/specification/#request-body-object">Documentation</a><br/>|
 |Schema Discriminator Not Required<br/><sup><sub>b481d46c-9c61-480f-86d9-af07146dc4a4</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|The discriminator property in the Schema Object should be a required property|<a href="https://swagger.io/specification/#schema-object">Documentation</a><br/>|
 |Responses With Wrong HTTP Status Code<br/><sup><sub>d86655c0-92f6-4ffc-b4d5-5b5775804c27</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|<a href="https://swagger.io/specification/#responses-object">Documentation</a><br/>|
 |Parameter Object With Schema And Content<br/><sup><sub>31dd6fc0-f274-493b-9614-e063086c19fc</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
+|Parameter Objects Headers With Duplicated Name<br/><sup><sub>05505192-ba2c-4a81-9b25-dcdbcc973746</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
 |Paths Object is Empty<br/><sup><sub>815021c8-a50c-46d9-b192-24f71072c400</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|<a href="https://swagger.io/specification/#paths-object">Documentation</a><br/>|
 |Parameter Object With Undefined Type<br/><sup><sub>46facedc-f243-4108-ab33-583b807d50b0</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
 |Parameter Object With Incorrect Ref<br/><sup><sub>d40f27e6-15fb-4b56-90f8-fc0ff0291c51</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|Parameter Object reference must always point to '#components/parameters'|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
+|Link Object OperationId Does Not Target Operation Object<br/><sup><sub>c5bb7461-aa57-470b-a714-3bc3d74f4669</sub></sup>|OpenAPI|<span style="color:#00C">Info</span>|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|<a href="https://swagger.io/specification/#link-object">Documentation</a><br/>|
diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md
@@ -10,10 +10,15 @@ This page contains all queries from OpenAPI.
 |Field 'securityScheme' On Components Is Undefined<br/><sup><sub>8db5544e-4874-4baa-9322-e9f75a2d219e</sub></sup>|<span style="color:#C00">High</span>|Access Control|Components' securityScheme field must have a valid scheme|<a href="https://swagger.io/specification/#security-scheme-object">Documentation</a><br/>|
 |Global security field has an empty object<br/><sup><sub>543e38f4-1eee-479e-8eb0-15257013aa0a</sub></sup>|<span style="color:#C00">High</span>|Access Control|Global security definition must not have empty objects|<a href="https://swagger.io/specification/#security-requirement-object">Documentation</a><br/>|
 |No Global And Operation Security Defined<br/><sup><sub>96729c6b-7400-4d9e-9807-17f00cdde4d2</sub></sup>|<span style="color:#C00">High</span>|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|<a href="https://swagger.io/specification/#security-requirement-object">Documentation</a><br/>|
+|Implicit Flow in OAuth2<br/><sup><sub>4a1f3d75-ab73-41b2-83e7-06a93dc3a75a</sub></sup>|<span style="color:#C60">Medium</span>|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Invalid OAuth2 Authorization URL<br/><sup><sub>52c0d841-60d6-4a81-88dd-c35fef36d315</sub></sup>|<span style="color:#C60">Medium</span>|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Invalid OAuth2 Token URL<br/><sup><sub>3ba0cca1-b815-47bf-ac62-1e584eb64a05</sub></sup>|<span style="color:#C60">Medium</span>|Access Control| OAuth2 security scheme flow requires a valid URL in the tokenUrl field|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Path Server Object Uses HTTP<br/><sup><sub>9670f240-7b4d-4955-bd93-edaa9fa38b58</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|<a href="https://swagger.io/specification/#server-object">Documentation</a><br/>|
 |Global Server Object Uses HTTP<br/><sup><sub>2d8c175a-6d90-412b-8b0e-e034ea49a1fe</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Global server object URL should use 'https' protocol instead of 'http'|<a href="https://swagger.io/specification/#server-object">Documentation</a><br/>|
+|Success Response Code Defined for Patch Operation<br/><sup><sub>1908a8ee-927d-4166-8f18-241152170cc1</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|<a href="https://swagger.io/specification/#operation-object">Documentation</a><br/>|
+|Success Response Code Defined for Put Operation<br/><sup><sub>60b5f56b-66ff-4e1c-9b62-5753e16825bc</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|<a href="https://swagger.io/specification/#operation-object">Documentation</a><br/>|
+|Success Response Code Defined for Delete Operation<br/><sup><sub>3b497874-ae59-46dd-8d72-1868a3b8f150</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|<a href="https://swagger.io/specification/#operation-object">Documentation</a><br/>|
+|Success Response Code Defined for Post Operation<br/><sup><sub>f368dd2d-9344-4146-a05b-7c6faa1269ad</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|<a href="https://swagger.io/specification/#operation-object">Documentation</a><br/>|
 |Undefined Scope 'securityScheme' On Global 'security' Field<br/><sup><sub>23a9e2d9-8738-4556-a71c-2802b6ffa022</sub></sup>|<span style="color:#CC0">Low</span>|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Undefined Scope 'securityScheme' On 'security' Field On Operations<br/><sup><sub>462d6a1d-fed9-4d75-bb9e-3de902f35e6e</sub></sup>|<span style="color:#CC0">Low</span>|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|<a href="https://swagger.io/specification/#oauth-flow-object">Documentation</a><br/>|
 |Invalid Contact Email<br/><sup><sub>b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7</sub></sup>|<span style="color:#00C">Info</span>|Best Practices|Contact Object Email should be a valid email|<a href="https://swagger.io/specification/#contact-object">Documentation</a><br/>|
@@ -24,10 +29,14 @@ This page contains all queries from OpenAPI.
 |Response Object With Incorrect Ref<br/><sup><sub>b3871dd8-9333-4d6c-bd52-67eb898b71ab</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|Response Object reference must always point to '#components/responses'|<a href="https://swagger.io/specification/#responses-object">Documentation</a><br/>|
 |Servers Array Undefined<br/><sup><sub>c66ebeaa-676c-40dc-a3ff-3e49395dcd5e</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|<a href="https://swagger.io/specification/#server-object">Documentation</a><br/>|
 |Path Parameter Not Required<br/><sup><sub>0de50145-e845-47f4-9a15-23bcf2125710</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
+|Server URL Not Absolute<br/><sup><sub>a0bf7382-5d5a-4224-924c-3db8466026c9</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|The Server URL should be an absolute URL|<a href="https://swagger.io/specification/#server-object">Documentation</a><br/>|
+|Invalid Content Type For Multiple Files Upload<br/><sup><sub>26f06397-36d8-4ce7-b993-17711261d777</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|<a href="https://swagger.io/docs/specification/describing-request-body/file-upload/">Documentation</a><br/>|
 |Request Body With Incorrect Ref<br/><sup><sub>0f6cd0ab-c366-4595-84fc-fbd8b9901e4d</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|Request Body reference must always point to '#components/RequestBodies'|<a href="https://swagger.io/specification/#request-body-object">Documentation</a><br/>|
 |Schema Discriminator Not Required<br/><sup><sub>b481d46c-9c61-480f-86d9-af07146dc4a4</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|The discriminator property in the Schema Object should be a required property|<a href="https://swagger.io/specification/#schema-object">Documentation</a><br/>|
 |Responses With Wrong HTTP Status Code<br/><sup><sub>d86655c0-92f6-4ffc-b4d5-5b5775804c27</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|<a href="https://swagger.io/specification/#responses-object">Documentation</a><br/>|
 |Parameter Object With Schema And Content<br/><sup><sub>31dd6fc0-f274-493b-9614-e063086c19fc</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
+|Parameter Objects Headers With Duplicated Name<br/><sup><sub>05505192-ba2c-4a81-9b25-dcdbcc973746</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
 |Paths Object is Empty<br/><sup><sub>815021c8-a50c-46d9-b192-24f71072c400</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|<a href="https://swagger.io/specification/#paths-object">Documentation</a><br/>|
 |Parameter Object With Undefined Type<br/><sup><sub>46facedc-f243-4108-ab33-583b807d50b0</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
 |Parameter Object With Incorrect Ref<br/><sup><sub>d40f27e6-15fb-4b56-90f8-fc0ff0291c51</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|Parameter Object reference must always point to '#components/parameters'|<a href="https://swagger.io/specification/#parameter-object">Documentation</a><br/>|
+|Link Object OperationId Does Not Target Operation Object<br/><sup><sub>c5bb7461-aa57-470b-a714-3bc3d74f4669</sub></sup>|<span style="color:#00C">Info</span>|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|<a href="https://swagger.io/specification/#link-object">Documentation</a><br/>|