bug(openapi): scan report is reporting false positives analyzing OpenAPI v3 schema saying "content is undefined"

[malkomich]

I am using the good practice of reusing responses in my OpenAPI spec, which format is defined here.
So every scheme for my path responses is well defined inside my components/responses section.

When I am executing the scan with the following command:

docker run --rm -v "$(pwd):/workdir" \
  checkmarx/kics:latest \
  scan \
    -p /workdir \
    -o /workdir/sast-reports \
    --report-formats json \
    --output-name sast-iac-report

I am getting the query "Response on operations that should have a body has undefined schema (v3)" incorrectly reported on every responses in my OpenAPI spec.

This is an example of what I am getting in the JSON report from SAST:

{
	"query_name": "Response on operations that should have a body has undefined schema (v3)",
	"query_id": "a92be1d5-d762-484a-86d6-8cd0907ba100",
	"query_url": "https://swagger.io/docs/specification/describing-responses/",
	"severity": "MEDIUM",
	"platform": "OpenAPI",
	"cwe": "665",
	"cloud_provider": "COMMON",
	"category": "Networking and Firewall",
	"experimental": false,
	"description": "If a response is not head or its code is not 204 or 304, it should have a schema defined",
	"description_id": "eaff445e",
	"files": [
		{
			"file_name": "<path_to_my_openapi_spec>/spec.yaml",
			"similarity_id": "e08dcd3c1ce5c29d67f5bf23b68c33cb39476382ecb9dc34e9fab41b95ffb0c7",
			"line": 60,
			"issue_type": "MissingAttribute",
			"search_key": "paths./<my_endpoint>.post.responses.500",
			"search_line": -1,
			"search_value": "",
			"expected_value": "paths./<my_endpoint>.post.responses.500.content should be defined",
			"actual_value": "paths./<my_endpoint>.post.responses.500.content is undefined"
		},
        .....
        ]
}

Expected Behavior

KICS is identifying the $ref reference, so the scan finds the required fields inside the defined response component.

Actual Behavior

KICS is not identifying the $ref reference, so the scan reports issues for not having a well defined schema on response codes which should have a body.

Steps to Reproduce the Problem

1. Define in your OpenAPI spec a response to be reused:

components
  responses:
    CustomResponse:
      description: Custom response with a well defined schema.
      content:
        application/json:
          schema:
            $ref: "#/components/schemas/ErrorResponse"

2. Define in your OpenAPI spec a path reusing a response defined in your component responses:

paths
  /path1:
    post:
      responses:
        "401":
          $ref: "#/components/responses/CustomResponse"

3. Run the scan command
4. Check the unexpected issue query inside the JSON report.

Specifications

• Version: v2.1.4
• Platform: Linux
• Subsystem: Ubuntu