Severity and description fields not captured when using IaC Scanning

Summary

When using IaC Scanning, the Severity and Description information for detected vulnerabilities are not displayed properly.

• The Severity is listed as unknown despite docs.kics.io listing a vulnerability.
• I believe we are using the Description text as the name of the vulnerability. As a result, the Description field in GitLab says 'type' is undefined or null.

Steps to reproduce

1. Add a main.tf and variables.tf like the one below to a GitLab project
2. Enable IaC scanning via an automatic merge request
3. Run a pipeline
4. When the pipeline succeeds, go to the Security tab
5. Observe that the Severity is unknown
6. Observe that Description is 'type' is undefined or null
7. Copy the Identifier for the chosen vulnerability
8. Look for that identifier in the list of Terraform queries on docs.kics.io
9. Observe that this item has a known Severity
10. Observe that this item has a valid, defined, non-null description

Example Project

There's an example of this at work in the gitlab-gold/briecarranza/issues/iac-scanning project. Head straight to the Security tab.

.gitlab-ci.yml

hello world:
    script:
        - echo "Hello, world."

include:
- template: Security/SAST-IaC.latest.gitlab-ci.yml

stages:
    - test
    - init
    - validate
    - build
    - deploy

main.tf

terraform {
  required_version = ">= 0.12.26"
}

output "hello_world" {
  value = "Hello, World!"
}

output "cute_cats" {
  value = var.instance_name
}

variables.tf

variable "instance_name" {
  default     = "catlikesbox"
}

What is the current bug behavior?

• The Severity for some Terraform vulnerabilities surfaced by IaC scanning is listed as unknown when the severity is known.
• The Description field for some Terraform vulnerabilities surfaced by IaC scanning reads 'type' is undefined or null.

What is the expected correct behavior?

• The Severity for these vulnerabilities should match what is present from the vendor (KICS).
• The Description field should be populated properly.

See the Notes section below for more information about Description and other fields.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com.

This has been observed in 2x 14.5.2 instances and in a 14.6.0 instance.

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:		Ubuntu 18.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.7.5p203
Gem Version:	3.1.4
Bundler Version:2.1.4
Rake Version:	13.0.6
Redis Version:	6.0.16
Git Version:	2.33.1.
Sidekiq Version:6.3.1
Go Version:	unknown

GitLab information
Version:	14.6.0-ee
Revision:	518f728f72b
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	12.7
URL:		https://gitlab.example.com
HTTP Clone URL:	https://gitlab.example.com/some-group/some-project.git
SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: 

GitLab Shell
Version:	13.22.1
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell
Git:		/opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.22.1 ? ... OK (13.22.1)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 8 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
2/1 ... yes
12/2 ... yes
12/3 ... yes
12/4 ... yes
12/5 ... yes
12/6 ... yes
12/7 ... yes
12/8 ... yes
13/9 ... yes
13/10 ... yes
13/11 ... yes
13/12 ... yes
14/13 ... yes
14/14 ... yes
14/15 ... yes
15/16 ... yes
15/17 ... yes
15/18 ... yes
15/19 ... yes
1/22 ... yes
16/24 ... yes
19/25 ... yes
1/26 ... yes
1/27 ... yes
1/28 ... yes
1/29 ... yes
1/30 ... yes
1/31 ... yes
16/32 ... yes
21/33 ... yes
16/34 ... yes
23/35 ... yes
22/36 ... yes
22/37 ... yes
22/38 ... yes
22/39 ... yes
22/40 ... yes
22/41 ... yes
22/42 ... yes
22/43 ... yes
25/44 ... yes
25/45 ... yes
25/46 ... yes
25/47 ... yes
2/48 ... yes
28/49 ... yes
30/50 ... yes
31/51 ... yes
32/52 ... yes
22/53 ... yes
34/54 ... yes
33/55 ... yes
36/56 ... yes
35/57 ... yes
35/58 ... yes
37/59 ... yes
18/62 ... yes
38/63 ... yes
38/64 ... yes
35/65 ... yes
33/66 ... yes
33/67 ... yes
43/68 ... yes
44/69 ... yes
44/70 ... yes
47/71 ... yes
57/72 ... yes
54/73 ... yes
60/74 ... yes
61/75 ... yes
52/76 ... yes
71/77 ... yes
71/79 ... yes
71/80 ... yes
71/81 ... yes
18/82 ... yes
18/83 ... yes
18/84 ... yes
75/85 ... yes
71/86 ... yes
81/87 ... yes
82/88 ... yes
71/89 ... yes
81/90 ... yes
86/91 ... yes
88/92 ... yes
88/93 ... yes
99/94 ... yes
99/95 ... yes
99/96 ... yes
100/97 ... yes
100/98 ... yes
111/99 ... yes
111/100 ... yes
111/101 ... yes
112/102 ... yes
112/103 ... yes
147/104 ... yes
147/105 ... yes
147/106 ... yes
161/107 ... yes
161/108 ... yes
161/109 ... yes
161/110 ... yes
161/111 ... yes
18/112 ... yes
171/113 ... yes
171/114 ... yes
171/115 ... yes
171/116 ... yes
171/117 ... yes
171/118 ... yes
171/119 ... yes
171/120 ... yes
181/121 ... yes
181/122 ... yes
181/123 ... yes
181/124 ... yes
181/125 ... yes
181/126 ... yes
181/127 ... yes
183/128 ... yes
183/129 ... yes
189/131 ... yes
5/132 ... yes
18/133 ... yes
181/134 ... yes
88/135 ... yes
1/136 ... yes
192/137 ... yes
1/138 ... yes
1/139 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.5)
Git version >= 2.33.0 ? ... yes (2.33.1)
Git user has default SSH configuration? ... yes
Active users: ... 112
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished

📓 Notes

I have noticed the unexpected behavior reported above with the following vulnerabilities based on Terraform queries:

Identifier	Name	Description (from docs.kics.io)	Severity (from docs.kics.io)
59312e8a-a64e-41e7-a252-618533dd1ea8	Output Without Description	All outputs should contain a valid description.	Info
fc5109bf-01fd-49fb-8bde-4492b543c34a	Variable Without Type	All variables should contain a valid type.	Info
2a153952-2544-4687-bcc9-cc8fea814a9b	Variable Without Description	All variables should contain a valid description.	Info

You can search by Identifier on this list of Terraform queries from docs.kics.io. (That site doesn't seem to support permalinks.)

I think we are using the Description in these tables as the title. The title doesn't appear anywhere and the description is blank. Said differently:

• On docs.kics.io a vulnerability called Variable Without Type has a description of All variables should contain a valid type.
• In the Security tab of a pipeline in GitLab, a vulnerability called All variables should contain a valid type. has a description of 'type' is undefined or null.

Possible fixes