Upstream kics analyzer from v1.6.2 causes "exit status 2" error
Summary
From v3.5.0 of GitLab's kics
analyzer, the version of the upstream analyzer changed from v1.6.0 to v1.6.2. Since the version was changed in GitLab's kics
analyzer image, the kics
analyzer fails with exit status 2
when running a scan against a project that contains a conditional resource reference within an aws_iam_policy_document
block. This issue has been raised on behalf of a customer.
This relates to a bug in the upstream kics
analyzer project:
https://github.com/Checkmarx/kics/issues/5932
And it was fixed in the following PR: https://github.com/Checkmarx/kics/pull/5939/files
Customer has confirmed that using the kics
analyzer v1.6.5 manually via CLI does not result in the bug occurring. Using v1.6.2 via CLI also reproduces the bug.
Workround
Pin the GitLab kics
analyzer image version to v3.4.0
, as it still uses v1.6.0. The latest GitLab kics
analyzer uses v1.6.2 still, which is affected by the bug.
Proposal
Increment the version of the upstream kics
analyzer to v1.6.5, as this has been tested to work.
Steps to reproduce
- Create a new project on GitLab.com
- Create a new
main.tf
file as per this GitHub issue: https://github.com/Checkmarx/kics/issues/5932 - Create a
.gitlab-ci.yml
file with the SAST IaC template - Commit changes
Example Project
https://gitlab.com/gitlab-gold/tmike/zd346347/zd346347/-/pipelines/708550241
What is the current bug behavior?
Analyzer template job fails with "exit status 2"
What is the expected correct behavior?
Analyzer job should pass (it does when using kics
analyzer v1.6.5 manually via CLI)
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)