Image checkmarx/kics:gh-action-kics1.6 contains old version of kics

[konstruktoid]

$ podman run -ti --entrypoint=/bin/sh checkmarx/kics:gh-action-kics1.6
Resolving "checkmarx/kics" using unqualified-search registries (/etc/containers/registries.conf.d/999-podman-machine.conf)
Trying to pull docker.io/checkmarx/kics:gh-action-kics1.6...
Getting image source signatures
Copying blob sha256:28efade68f07d4fea7a94fd40589e5ddd58bc30abd3d80bc5f50618d8ed5a17c
Copying blob sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c
Copying blob sha256:d3332bc4f86b6286c55c2dad7d48650e46efeedaf4ded85706f59c32df62a374
Copying blob sha256:4c08bcd54f581e0e563d0a6787ea2e6717a8faf88aa233d377b7d80265244645
Copying blob sha256:5607687c41bc1e50f48eb97956b03dbfd79e199f7f0ef558b57535b3c301ae16
Copying blob sha256:fb5b7d4f427d5594dd2ff0fee4e6d67793489d6ab168f5d06c40179f22b88730
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying config sha256:543ce91ac8ae0101c6ccd9d0efdc134bf67af4fb1df7189313d8334f18720042
Writing manifest to image destination
Storing signatures
/app/bin # kics version
Keeping Infrastructure as Code Secure v1.6.11

https://github.com/Checkmarx/kics/releases/tag/v1.6.12 was released two days ago.

Version publish workflow failed: https://github.com/Checkmarx/kics-github-action/actions/runs/4425414961/jobs/7760437819

https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4436489949/jobs/7787541620#step:5:66
"A new version 'v1.6.12' of KICS is available, please consider updating"

[kaplanlior]

Thanks Thomas,

The KICS github action uses a different tag to select which version of KICS it runs.
We usually advance it a week past the release to verify there aren't any regressions.

After some gap in this, two days ago we jumped from 1.6.6 to 1.6.11.

[gabriel-cx]

Hi @konstruktoid ,

Thank you for your feedback on this.
We are aware of this situation, because, currently, we decided that our GitHub action should be 'one step behind' regarding the latest KICS version.

Do this information clarify your situation?
If yes, kindly close this issue.
If not, feel free to leave us a comment.

[konstruktoid]

thanks for the quick replies, but why should it be 'one step behind'?
i don't really mind if it is, but the reason i noticed was becuase it crashed and made the workflow fail, https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4436489949/jobs/7787541620#step:5:89

[gabriel-cx]

The reason is just to make sure there aren't any regressions.
The action update mechanism was getting some errors, but in the end it was fixed and the github action update into v1.6.11 was successfully performed.

[konstruktoid]

so the latest KICS version shouldn’t be considered stable?
and this https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4436489949/jobs/7787541620#step:5:89

[gabriel-cx]

Latest KICS versions are always stable, don't worry about that. KICS github action is always one version behind just to add a layer of certainty that there aren't any regressions.

This situation is not related to KICS engine, that issue was fixed by this PR. Basically ncc needed to be updated in the KICS github action side.

[konstruktoid]

Yeah, the issue was fixed by #83 but that doesn't seem to have been pushed to the Docker hub?
https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4440664275/jobs/7811907364 a minute ago.

> [email protected] build
> ncc build src/main.js

ncc: Version 0.31.1
ncc: Compiling file index.js into CJS
Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:71:19)
    at Object.createHash (node:crypto:133:10)
    at hashOf (/app/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:37:1[85](https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4440664275/jobs/7811907364#step:5:86)5992)
    at ncc (/app/node_modules/@vercel/ncc/dist/ncc/index.js.cache.js:37:1[86](https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4440664275/jobs/7811907364#step:5:87)0457)
    at runCmd (/app/node_modules/@vercel/ncc/dist/ncc/cli.js.cache.js:1:55128)
    at 819 (/app/node_modules/@vercel/ncc/dist/ncc/cli.js.cache.js:1:51698)
    at __webpack_require__ (/app/node_modules/@vercel/ncc/dist/ncc/cli.js.cache.js:1:5[90](https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4440664275/jobs/7811907364#step:5:91)48)
    at /app/node_modules/@vercel/ncc/dist/ncc/cli.js.cache.js:1:5[92](https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4440664275/jobs/7811907364#step:5:93)60
    at /app/node_modules/@vercel/ncc/dist/ncc/cli.js.cache.js:1:5[93](https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4440664275/jobs/7811907364#step:5:94)21
    at Object.<anonymous> (/app/node_modules/@vercel/ncc/dist/ncc/cli.js:8:28) {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
node:internal/modules/cjs/loader:1078
  throw err;
  ^

Error: Cannot find module '/app/dist/index.js'
    at Module._resolveFilename (node:internal/modules/cjs/loader:[107](https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4440664275/jobs/7811907364#step:5:108)5:15)
    at Module._load (node:internal/modules/cjs/loader:920:27)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:23:47 {
  code: 'MODULE_NOT_FOUND',
  requireStack: []
}

Node.js v18.14.2

[gabriel-cx]

The fix was related to the KICS github action, not related to KICS engine itself.
Which version of the github action are you using?

Seems that you probably are using the v1.6.2 version (or older) of the action and not the v1.6.3(latest).
If that is the case, kindly use the latest version of the github action v1.6.3. This will help you with that situation.

[konstruktoid]

https://hub.docker.com/r/checkmarx/kics/tags?page=1&name=action only lists gh-action-kics1.6

https://github.com/konstruktoid/ansible-cowrie-rootless/actions/runs/4436489949/workflow#L13 : uses: checkmarx/[email protected]

[konstruktoid]

Also d237b76

[gabriel-cx]

Regarding gh-action-kics1.6, this is the image that contains the KICS version that this KICS github action uses, currently, that image contains the version v1.6.11 of KICS engine and in 2 weeks will point to the v1.6.12, etc.

In terms of documentation, we will update it. Thanks for pointing this out!

Looks like you are using an old version of kics github action, you are using the v1.6. Kindly update it to v1.6.3.
Tell me if all this information solves/clarifies your issues/doubts.

[konstruktoid]

thanks @gabriel-cx, checkmarx/[email protected] works.
the confusion stemmed from v1.6 being the recommended version according to the documentation, and available as a Docker image but not as a Github Action release. There's no Github Action release between v1.5 and v1.6.3, and neither of v1.5 or v1.6.3 exists as a Docker image.

[gabriel-cx]

No problem, @konstruktoid !
We already updated the GitHub action readme to mention the use of checkmarx/[email protected].

Yes, the docker image used by this GitHub Action is checkmarx/kics:gh-action-kics1.6), and it always points to the previous version of KICS comparing to the latest version (currently, KICS latest is 1.6.12, so this GitHub Action runs KICS 1.6.11).
Basically, every KICS GitHub Action version that starts with 'v1.6' (e.g. 1.6, 1.6.1, 1.6.2, 1.6.3, etc. ) will always use the docker image checkmarx/kics:gh-action-kics1.6.

Thanks for the feedback and feel free to open another issue or contact me directly if you need any kind of support.