kics report version bumped to 15.0.0 which isn't supported by gitlab 15.2.4.

I think this hasn't been reported yet, but sorry if I missed it! Hard to search for it.

Summary

Recent builds of the registry.gitlab.com/gitlab-org/security-products/analyzers/kics:3 image (linked from the official IaC/SASL template) broke compatibility with gitlab 15.2.4-ee. The exact error is (on the security tab on a pipeline):

Error parsing security reports
The following security reports contain one or more vulnerability findings that could not be parsed and were not recorded. To investigate a report, download the artifacts in the job output. Ensure the security report conforms to the relevant JSON Schema.

$JOB_NAME (2)
[Schema] property '/vulnerabilities/0' is missing required keys: cve
[Schema] Version 15.0.0 for report type sast is unsupported, supported versions for this report type are: 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 14.0.6, 14.1.0, 14.1.1, 14.1.2

The source of the issue appears to be this version bump: gitlab-org/security-products/analyzers/kics!51 (merged) which bumped the default analyzer/report version to 3.14.0 (which internally defaults to sasl report version 15.0.0); the temporary workaround is to pin the kics image version to 3.2.0. It might be a good idea to revert this change in the v3 branch and create a v4 branch for it.

This change was reverted in the analyzers/report package but this change was never rolled into kics (at least as of me filing this).

Steps to reproduce

Try to use the default IaC-scanning template with gitlab 15.2.4-ee; it fails.

What is the current bug behavior?

IaC scanning image produces an unsupported (by gitlab 15.2.4-ee) report version.

What is the expected correct behavior?

Report version should probably be compatible with shipping versions, or more docs should be provided to indicate which versions of gitlab should be used with which versions of the kics image.

Possible fixes

  1. Document which gitlab versions are supported with which kics versions.
  2. Maybe bump the report package in kics to revert back to 14.x reports?