Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sarif): check url before converting to string #8154

Open
2 tasks done
nikpivkin opened this issue Dec 21, 2024 Discussed in #8150 · 0 comments
Open
2 tasks done

fix(sarif): check url before converting to string #8154

nikpivkin opened this issue Dec 21, 2024 Discussed in #8150 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@nikpivkin
Copy link
Contributor

If the url is invalid, we log this and return nil. Further operations with such url may cause panic.

Discussed in #8150

Originally posted by natenho December 21, 2024

Description

Hello, the latest trivy version is returning an error when generating sarif file.

Desired Behavior

No error

Actual Behavior

+ wget https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh -O - | sh -s -- -b /usr/local/bin latest
Connecting to [raw.githubusercontent.com](http://raw.githubusercontent.com/) (185.199.109.133:443)
writing to stdout
-                    100% |********************************| 10578  0:00:00 ETA
written to stdout
aquasecurity/trivy info checking GitHub for tag 'latest'
aquasecurity/trivy info found version: 0.58.0 for v0.58.0/Linux/64bit
aquasecurity/trivy info installed /usr/local/bin/trivy

+ trivy fs --scanners vuln,misconfig $TRIVY_ARGS . || export TRIVY_FAILED=$?
2024-12-20T23:51:50Z	INFO	[vulndb] Need to update DB
2024-12-20T23:51:50Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-20T23:51:50Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
27.53 MiB / 57.88 MiB [----------------------------->_______________________________] 47.56% ? p/s ?57.88 MiB / 57.88 MiB [----------------------------------------------------------->] 100.00% ? p/s ?57.88 MiB / 57.88 MiB [----------------------------------------------------------->] 100.00% ? p/s ?57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 50.57 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 50.57 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 50.57 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 47.31 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 47.31 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 47.31 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 44.26 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 44.26 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 44.26 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 41.40 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 41.40 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 41.40 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 38.73 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [-------------------------------------------------] 100.00% 18.23 MiB p/s 3.4s2024-12-20T23:51:54Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T23:51:54Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T23:51:54Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-20T23:51:54Z	INFO	[misconfig] Need to update the built-in checks
2024-12-20T23:51:54Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-20T23:51:59Z	INFO	[terraform scanner] Scanning root module	file_path="terraform"
2024-12-20T23:51:59Z	INFO	[terraform scanner] Scanning root module	file_path="terraform-ecr"
2024-12-20T23:52:00Z	INFO	Number of language-specific files	num=1
2024-12-20T23:52:00Z	INFO	[gomod] Detecting vulnerabilities...
2024-12-20T23:52:00Z	INFO	Detected config files	num=7
2024-12-20T23:52:00Z	ERROR	[sarif] Unable to parse URI	URI="[email protected]:REDACTED/REDACTED.git/terraform?ref=1.8.4/terraform/.terraform/modules/aws_ecs_app/terraform/sg.tf" err="parse \"[email protected]:REDACTED/REDACTED.git/terraform?ref=1.8.4/terraform/.terraform/modules/aws_ecs_app/terraform/sg.tf\": first path segment in URL cannot contain colon"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x5d8714]
goroutine 1 [running]:
net/url.(*URL).String(0x0)
	/opt/hostedtoolcache/go/1.22.9/x64/src/net/url/url.go:817 +0x34
github.com/aquasecurity/trivy/pkg/report.(*SarifWriter).addSarifResult(0xc00f4aca00, 0xc00f4e61c0)
	/home/runner/work/trivy/trivy/pkg/report/sarif.go:114 +0x30f
github.com/aquasecurity/trivy/pkg/report.(*SarifWriter).Write(_, {_, _}, {0x2, {0xc1d19ea814fa667b, 0x238b6ae57, 0x820f0a0}, {0x7ffd3e0e7429, 0x1}, {0x47c4e65, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/report/sarif.go:186 +0x13a5
github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0xc1d19ea814fa667b, 0x238b6ae57, 0x820f0a0}, {0x7ffd3e0e7429, 0x1}, {0x47c4e65, 0xa}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/report/writer.go:102 +0x8e6
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).Report(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:276 +0x92
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc000873950, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:395 +0xc4e
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc0009d5508, {0xc000424a50, 0x1, 0xf})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc0009d5508, {0xc000424960, 0xf, 0xf})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc0009d4f08)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f

Reproduction Steps

export TRIVY_ARGS="--ignorefile ./.trivyignore.yml --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --severity HIGH,CRITICAL --exit-code 1 --format sarif -o trivy.sarif"
trivy fs --scanners vuln,misconfig $TRIVY_ARGS .


### Target

Git Repository

### Scanner

Misconfiguration

### Output Format

SARIF

### Mode

Standalone

### Debug Output

```bash
--

Operating System

Linux (bitbucket CI/CD)

Version

0.58.0 for v0.58.0/Linux/64bit

Checklist
@nikpivkin nikpivkin added the kind/bug Categorizes issue or PR as related to a bug. label Dec 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nikpivkin