Issue with bicep and httpsOnly/minimalTls

[chielboogaard]

Hi all,

I'm currently testing if Kics would work in our workflow. But I'm finding that the checks:

488847ff-6031-487c-bf42-98fd6ac5c9a0: Website Not Forcing HTTPS
b5c851d5-00f1-43dc-a8de-3218fd6f71be: Web App Not Using TLS Last Version
70111098-7f85-48f0-b1b4-e4261cf5f61b: Website with 'Http20Enabled' Disabled

Are always flagged.

I have the following resource in bicep:

resource _webApplication 'Microsoft.Web/sites@2024-11-01' = {
  dependsOn: []
  name: '${NameInfix}WA-${Webapp.name}-${Webapp.index}'
  location: Location
  tags: Tags
  kind: Webapp.kind
  properties: {
    serverFarmId: appServicePlan.id
    httpsOnly: true
    reserved: Webapp.asp.os == 'linux' ? true : Webapp.asp.os == 'windows' ? false : false
    siteConfig: {
      http20Enabled: true
      minTlsVersion: '1.2'
    }
    virtualNetworkSubnetId: virtualNetwork::subnet.id
  }
}

does not matter what I do, the 3 above are always flagged.

anyone an idea what I'm doing wrong or what is going on here?

[cx-artur-ribeiro]

Hi @chielboogaard!
Thanks for sharing your issue and apologies for the delayed reply!

I ran a scan using the Bicep code you provided and got three findings, but only one of them matches the checks you mentioned:

• httpsOnly: true is correctly set, so “Website Not Forcing HTTPS” was not flagged in my scan.
• “Web App Not Using TLS Last Version” was flagged because minTlsVersion is set to '1.2' and KICS expects '1.3' to satisfy that check as for the new query update;
• http20Enabled:true is also set correctly, so “Website with 'Http20Enabled' Disabled” was not flagged.

In addition, I received two other findings unrelated to your original report.

Here’s the scan summary and the full results:
discussion_results_001.json

Let me know if you'd like help with suppressing specific checks or narrowing down your scan scope.
Happy to assist further if needed!

[chielboogaard]

You are totally right, thank you

[chielboogaard]

Sorry, to bother you, but For some reason I do still get the issues popping up. :(

[chielboogaard]

I gives met the following for TLS:
Also I notice that my kics is giving met the with '1.2' and yours is saying '1.3'

Web App Not Using TLS Last Version, Severity: MEDIUM, Results: 1
Description: Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'
Platform: AzureResourceManager
CWE: 327
Learn more about this vulnerability: https://docs.kics.io/latest/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be

	[1]: ../../path/asp_wa_ai.bicep:98

		097:   dependsOn: []
		098:   name: '${NameInfix}WA-${Webapp.name}-${Webapp.index}'
		099:   location: Location

or this for HTTPS:

Website Not Forcing HTTPS, Severity: MEDIUM, Results: 1
Description: 'Microsoft.Web/sites' should force the use of HTTPS
Platform: AzureResourceManager
CWE: 319
Learn more about this vulnerability: https://docs.kics.io/latest/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0

	[1]: ../../path/asp_wa_ai.bicep:102

		101:   kind: Webapp.kind
		102:   properties: {
		103:     serverFarmId: _appServicePlan.id

edit:
on the tls the row 098: name: '${NameInfix}WA-${Webapp.name}-${Webapp.index}' is highlighted and on https that is: 102: properties: {
don't know if that helps

[chielboogaard]

It looks like this row is the part that makes it fail:
appSettings: (!empty(Webapp.appSettings)) ? Webapp.appSettings : []

which i recently added to the resource

[cx-artur-ribeiro]

Hi @chielboogaard, no worries at all, you're not bothering me!
I'm happy to help however I can.

Thanks for sharing the details and the file sample. Let me address both of the issues you're seeing:

Also I notice that my kics is giving met the with '1.2' and yours is saying '1.3'

I'm currently using KICS v2.1.11, which includes the latest changes from master. One of the updates in the TLS-related azure resource manager query now recommends using '1.3' as the latest secure version, instead of '1.2'.

However, your KICS version may still be using the older logic, which is why you're seeing '1.2' as the expected value.

Web App Not Using TLS Last Version Query

1. Why is line 098: name: '${NameInfix}WA-${Webapp.name}-${Webapp.index}' being flagged?

• KICS reports the issue on line 98 because it links the vulnerability to the resource name. Even though the actual problem is that the properties.siteConfig.minTlsVersion field is missing, this is KICS’s current way of pointing to the enclosing resource block when the field minTlsVersion is missing or missplaced.
• If you think the query should highlight a more specific line, feel free to open an issue on the KICS repo, we’d love to improve detection accuracy.

2. How can we fix this vulnerability:
   To fix the TLS vulnerability, make sure you have:

properties: {
  siteConfig: {
    minTlsVersion: '1.3' // or '1.2' if you're using an older KICS version
  }
}

Website Not Forcing HTTPS Query

1. Regarding the HTTPS result, whats happening?

• KICS is highlighting 102: properties: {. This is because the httpsOnly field is expected inside properties. If it's missing or not explicitly set to true, KICS will flag it.

2. To fix this vulnerability, make sure you have:

properties: {
  httpsOnly: true
}

AppSettings field addition causing issues in detection

1. The line you added: appSettings: (!empty(Webapp.appSettings)) ? Webapp.appSettings : [] by itself shouldn’t cause either of the vulnerabilities (TLS version or HTTPS enforcement) to be flagged.
   If you'd like, feel free to share a slightly larger snippet with 'appSettings' included and I can try to help review the structure to confirm everything’s nested correctly or understand if KICS payload formation is being wrongly formated for resources using that field.

Hope this helps clarify why the vulnerabilities are being flagged on those lines and what remediation steps you can apply to resolve them.
If you have any more questions, feel free to continue the discussion, I'll be happy to assist further! 😄