fix: [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic

Description

Currently:

✅ Pass: type: http with scheme: basic fails
❌ Fail: type: http with scheme: bearer (or anything else) passes

After this change:

✅ Pass: type: http with scheme: basic fails
✅ Pass: type: http with scheme: bearer (or anything else) passes

Fixes #6172

Description

Let's restate the purpose of CKV_OPENAPI_3:

Ensure that security schemes don’t allow cleartext credentials over unencrypted channel - version 3.x.y files

Currently, type: http and scheme: basic fail this check, which is good. Failing http+basic ensures that cleartext credentials aren't transmitted at all, but it doesn't check whether the channel is unencrypted (http vs. https), which the check doesn't seem to accomplish at all (separate issue). But type: http and scheme: bearer uses opaque tokens that aren't considered cleartext, and thus should pass this check but currently fails.

To be clear type: https isn't a valid type, those are the possible type values:

[...] where each scheme can be of type:

http – for Basic, Bearer and other HTTP authentications schemes

apiKey – for API keys and cookie authentication

oauth2 – for OAuth 2

openIdConnect – for OpenID Connect Discovery

Source: https://swagger.io/docs/specification/authentication/

Fix

This is a false-positive and thus existing code should work fine and pass. If people disabled CKV_OPENAPI_3 to bypass this check then they could re-enable it after this PR is merged.

Checklist:

[x] My code follows the style guidelines of this project
[x] I have performed a self-review of my own code
[x] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[x] I have added tests that prove my feature, policy, or fix is effective and works
[ ] New and existing tests pass locally with my changes
[x] Any dependent changes have been merged and published in downstream modules

Note: all tests are passing except 9 of them that complain about the aiodns library. Not sure how to solve that:

================================================================================= short test summary info =================================================================================
FAILED tests/common/utils/test_http_utils.py::test_aiohttp_client_session_wrapper_with_one_handled_exception - RuntimeError: Resolver requires aiodns library
FAILED tests/common/utils/test_http_utils.py::test_aiohttp_client_session_wrapper_with_several_handled_exceptions - RuntimeError: Resolver requires aiodns library
FAILED tests/common/utils/test_http_utils.py::test_raiohttp_client_session_wrapper_with_one_not_handled_exception - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_docker_image_scanning.py::test_report_results - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_docker_image_scanning.py::test_report_results_with_cicd - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_docker_image_scanning.py::test_report_results_fail - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_package_scanning.py::test_report_results - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_package_scanning.py::test_report_results_with_cicd - RuntimeError: Resolver requires aiodns library
FAILED tests/common/bridgecrew/vulnerability_scanning/integrations/test_package_scanning.py::test_report_results_fail - RuntimeError: Resolver requires aiodns library
=========================================================== 9 failed, 4462 passed, 27 skipped, 5 warnings in 137.22s (0:02:17) ============================================================

bridgecrewio / checkov