bug: SARIF URI scheme "git" did not match the checkout URI scheme "file" #5003
Comments
|
I had the same error when I am using the below modules terraform-aws-modules/lambda/aws |
knqyf263
added
kind/bug
|
Any update on this? The only release that works is 0.8.0. All the others fail. |
|
Adding some notes from testing: I cannot reproduce this running I'm hoping the reproductions below help! OS: MacOS 13.5.2 Works (local)$ trivy --version
Version: 0.45.1
Vulnerability DB:
Version: 2
UpdatedAt: 2023-09-22 00:23:59.552431691 +0000 UTC
NextUpdate: 2023-09-22 06:23:59.552431291 +0000 UTC
DownloadedAt: 2023-09-22 04:44:16.227725 +0000 UTC
Policy Bundle:
Digest: sha256:fd5f1ce3d8efb1fe158cb41f9adb9d7c7cc5c4c863b261053c962e6d950350b3
DownloadedAt: 2023-09-22 04:44:24.462946 +0000 UTC
# Grep finds no invalid results
$ trivy repo --quiet \
--scanners config \
--format sarif \
https://github.com/terraform-aws-modules/terraform-aws-lambda \
| grep '"uri": "git:'Broken (docker)$ docker run --rm ghcr.io/aquasecurity/trivy:0.45.1 --version
Version: 0.45.1
# Grep finds several invalid URIs in result
$ docker run --rm ghcr.io/aquasecurity/trivy:0.45.1 repo --quiet \
--scanners config \
--format sarif \
https://github.com/terraform-aws-modules/terraform-aws-lambda \
| grep '"uri": "git:'
"uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.0.1/main.tf",
"uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=v5.0.0/main.tf",
"uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=v5.0.0/main.tf",
"uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=v5.0.0/main.tf",
"uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=v5.0.0/main.tf", |
|
I think this was introduced by this PR aquasecurity/defsec#1202 which basically reverted this year-old fix aquasecurity/defsec#889 Edit: maybe not by looking at all the dates and contexts, but it seems related See also GitHub Code Scanning API limitations for the SARIF format: github/codeql-action#754 (comment) |
* fix(sarif): removes git::http from uri in sarif ## Description ## Related issues - Fixes aquasecurity#5003 ## Checklist - [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository. - [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title. - [ ] I've added tests that prove my fix is effective or that my feature works. - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed). - [ ] I've added usage information (if the PR introduces new options) - [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
* fix(sarif): removes git::http from uri in sarif * fix(sarif): removes git::http from uri in sarif ## Description ## Related issues - Fixes #5003 ## Checklist - [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository. - [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title. - [ ] I've added tests that prove my fix is effective or that my feature works. - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed). - [ ] I've added usage information (if the PR introduces new options) - [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change). * fix lint --------- Co-authored-by: Simar <simar@linux.com>
|
It seems the PR did not fixed it, I still get the error with Trivy v0.46.0, URI schemes are not removed 😕 $ trivy version
Version: v0.46.0
$ trivy config --format sarif --output trivy-results.sarif .
$ jq '[
.runs[].results[].locations[].physicalLocation.artifactLocation.uri
| select(startswith("git::https:/"))
] | length' trivy-results.sarif
41I am currently working around it with: sed -i 's#git::https:/##g' trivy-results.sarif |
|
Same in |
|
Still an issue in |
|
Unfortunately, still an issue for us. Thanks, @maxbrunet, for the temporary fix! |
|
also used the workaround above with current version of Trivy - works great but any chance you can reopen this @knqyf263 ? |
|
@nikpivkin Can you please take a look? |
source: https://github.com/aquasecurity/tfsec/issues/1955
Config example:
Output:
{ "version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [ { "tool": { "driver": { "fullName": "Trivy Vulnerability Scanner", "informationUri": "https://github.com/aquasecurity/trivy", "name": "Trivy", "rules": [ { "id": "AVD-GCP-0007", "name": "Misconfiguration", "shortDescription": { "text": "Service accounts should not have roles assigned with excessive privileges" }, "fullDescription": { "text": "Service accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account." }, "defaultConfiguration": { "level": "error" }, "helpUri": "https://avd.aquasec.com/misconfig/avd-gcp-0007", "help": { "text": "Misconfiguration AVD-GCP-0007\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Service accounts should not have roles assigned with excessive privileges\nMessage: Service account is granted a privileged role.\nLink: [AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)\nService accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account.", "markdown": "**Misconfiguration AVD-GCP-0007**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Service accounts should not have roles assigned with excessive privileges|Service account is granted a privileged role.|[AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)|\n\nService accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account." }, "properties": { "precision": "very-high", "security-severity": "8.0", "tags": [ "misconfiguration", "security", "HIGH" ] } } ], "version": "0.44.1" } }, "results": [ { "ruleId": "AVD-GCP-0007", "ruleIndex": 0, "level": "error", "message": { "text": "Artifact: git::https:/github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf\nType: terraform\nVulnerability AVD-GCP-0007\nSeverity: HIGH\nMessage: Service account is granted a privileged role.\nLink: [AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "https://github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf", "uriBaseId": "ROOTPATH" }, "region": { "startLine": 91, "startColumn": 1, "endLine": 91, "endColumn": 1 } }, "message": { "text": "git::https:/github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf" } } ] } ], "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": { "uri": "file:///" } } } ] }I used this service for SARIF validation: https://sarifweb.azurewebsites.net/Validation
Validation result:
Description of the uri property in the SARIF specification.
The text was updated successfully, but these errors were encountered: