fix(oas): allow bearer scopes on operations in OpenAPI 3.1

OAS 3.1 permits scope lists on http bearer security requirements
without defining those scopes on the security scheme. Skip scope
validation for bearer schemes when the document is OpenAPI 3.1+.

Fixes #2643

Author: slegarraga

packages/rulesets/src/oas/__tests__/oas3-operation-security-defined.test.ts

@@ -210,4 +210,33 @@ testRule('oas3-operation-security-defined', [
       },
     ],
   },
+
+  {
+    name: 'oas3.1: bearer http scopes on operation without scheme-level scopes',
+    document: {
+      openapi: '3.1.0',
+      info: { title: 'test', version: '1.0.0' },
+      paths: {
+        '/users': {
+          get: {
+            security: [
+              {
+                bearerAuth: ['read:users', 'public'],
+              },
+            ],
+          },
+        },
+      },
+      components: {
+        securitySchemes: {
+          bearerAuth: {
+            type: 'http',
+            scheme: 'bearer',
+            bearerFormat: 'jwt',
+          },
+        },
+      },
+    },
+    errors: [],
+  },
 ]);

packages/rulesets/src/oas/functions/oasSecurityDefined.ts

@@ -33,6 +33,9 @@ export default createRulesetFunction<Record<string, string[]>, Options>(
 
     if (!isPlainObject(document.data)) return;
 
+    const openapiVersion =
+      typeof document.data.openapi === 'string' ? document.data.openapi : '';
+
     const allDefs =
       oasVersion === 2
         ? document.data.securityDefinitions
@@ -58,7 +61,7 @@ export default createRulesetFunction<Record<string, string[]>, Options>(
       const scope = input[schemeName];
       for (let i = 0; i < scope.length; i++) {
         const scopeName = scope[i];
-        if (!isScopeDefined(oasVersion, scopeName, allDefs[schemeName])) {
+        if (!isScopeDefined(oasVersion, scopeName, allDefs[schemeName], openapiVersion)) {
           results ??= [];
           results.push({
             message: `"${scopeName}" must be listed among scopes.`,
@@ -72,9 +75,24 @@ export default createRulesetFunction<Record<string, string[]>, Options>(
   },
 );
 
-function isScopeDefined(oasVersion: 2 | 3, scopeName: string, securityScheme: unknown): boolean {
+function isScopeDefined(
+  oasVersion: 2 | 3,
+  scopeName: string,
+  securityScheme: unknown,
+  openapiVersion = '',
+): boolean {
   if (!isPlainObject(securityScheme)) return false;
 
+  // OpenAPI 3.1 allows scope lists on http bearer requirements without scheme-level scope definitions
+  if (
+    oasVersion === 3 &&
+    openapiVersion.startsWith('3.1') &&
+    securityScheme.type === 'http' &&
+    securityScheme.scheme === 'bearer'
+  ) {
+    return true;
+  }
+
   if (oasVersion === 2) {
     return isPlainObject(securityScheme.scopes) && scopeName in securityScheme.scopes;
   }