Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with uploading the SARIF report to GitHub #408

Open
uRhos opened this issue Oct 9, 2024 · 25 comments
Open

Issue with uploading the SARIF report to GitHub #408

uRhos opened this issue Oct 9, 2024 · 25 comments

Comments

@uRhos
Copy link

uRhos commented Oct 9, 2024

Hello,

We're facing issues with the Using Trivy to scan your Git repo setup, the action is working fine and creates a SARIF report, however that report is not accepted by GithHub in the Upload Trivy scan results to GitHub Security tab step. Here's our workflow.yaml config:

  - name: Run Trivy vulnerability scanner in repo mode
    uses: aquasecurity/trivy-action@master
    env:
      TRIVY_USERNAME: ${{ secrets.TRIVY_USERNAME }}
      TRIVY_PASSWORD: ${{ secrets.TRIVY_PASSWORD }}
      TRIVY_DB_REPOSITORY: ${{ secrets.TRIVY_REPOSITORY }}
    with:
      scan-type: 'fs'
      ignore-unfixed: true
      format: 'sarif'
      output: 'trivy-results.sarif'
      timeout: '10m'
      severity: 'CRITICAL,HIGH'
      scanners: "vuln,misconfig"
      limit-severities-for-sarif: true

  - name: Upload Trivy scan results to GitHub Security tab
    uses: github/codeql-action/upload-sarif@v3
    with:
      sarif_file: 'trivy-results.sarif'

The error from the Upload Trivy scan results to GitHub Security tab is:
Error: Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location
We're using the latest version supported in the trivy-action.

@simar7
Copy link
Member

simar7 commented Oct 9, 2024

@uRhos that's interesting. I tested this earlier as you can see here and it was fine.

Is it possible for you run the same scan locally with the Trivy CLI to see what output you get? It might be a bug with the SARIF output being generated incorrectly.

Were the reports correctly being generated and uploaded in prior versions of Trivy action?

@richardrobarth
Copy link

I had similar issue since yesterday, had to revert to 0.25.0.
Our problem was that result was generated in table format (not sarif).
From the looks of it the action isnt picking up the correct config (from trivy.yaml).

@uRhos
Copy link
Author

uRhos commented Oct 10, 2024

@uRhos that's interesting. I tested this earlier as you can see here and it was fine.

Is it possible for you run the same scan locally with the Trivy CLI to see what output you get? It might be a bug with the SARIF output being generated incorrectly.

Were the reports correctly being generated and uploaded in prior versions of Trivy action?

Yes, after setting version: 'v0.55.0' the workflow is completed correctly, but I agree with @richardrobarth the trivy.yaml config is not being picked up, so we had to change from using it to using the inputs and env vars

@JackDallas
Copy link

Also hitting this in multiple repos, pinning to 0.24.0 fixes it for us

@simar7
Copy link
Member

simar7 commented Oct 11, 2024

@uRhos could you try with the latest release https://github.com/aquasecurity/trivy-action/releases/tag/0.27.0 we had an issue where env var were not getting set and it should be addressed hopefully in this release. Let us know how it goes.

@mat-sylvia-mark43
Copy link

Also having issues with SARIF upload. Confirmed the SARIF is there after the trivy scan, but didn't confirm its contents. Errors from the upload-sarif action attached. I changed no working directory settings or anything like that.

git call failed. Continuing with commit SHA from user input or environment. Error: The checkout path provided to the action does not appear to be a git repository. git call failed. Will calculate the base branch SHA on the server. Error: The checkout path provided to the action does not appear to be a git repository.

image

@nikpivkin
Copy link
Contributor

nikpivkin commented Oct 17, 2024

Hi @mat-sylvia-mark43 ! Can you give me an example of your workflow?

@uRhos
Copy link
Author

uRhos commented Oct 17, 2024

Hi @uRhos ! Can you give me an example of your workflow?

The workflow we use is pretty much in the description, we just have one more step to checkout the code first

@nikpivkin
Copy link
Contributor

@uRhos Ah, I accidentally mentioned you

@uRhos
Copy link
Author

uRhos commented Oct 17, 2024

@uRhos could you try with the latest release https://github.com/aquasecurity/trivy-action/releases/tag/0.27.0 we had an issue where env var were not getting set and it should be addressed hopefully in this release. Let us know how it goes.

so we tried it with the 0.27.0 version of trivy-action and 0.56.2 version of trivy and got the same error, after setting the trivy version to 0.55.2 it works, so it's probably a bug in the latest trivy release

@mat-sylvia-mark43
Copy link

@nikpivkin Here you go!

image

@mat-sylvia-mark43
Copy link

@nikpivkin any thoughts? The action appears to be completely broken by this.

@mdemers-cobank
Copy link

mdemers-cobank commented Oct 25, 2024

We are also running into this issue using aquasecurity/[email protected]. Here is our GitHub Action:

  - name: Run Trivy vulnerability scanner in IaC mode and publish to Secuirty Tab
    uses: aquasecurity/[email protected]
    with:
      scan-type: 'fs'
      scan-ref: '.'
      scanners: 'vuln,misconfig'
      hide-progress: true
      format: 'sarif'
      output: 'trivy-results.sarif' 
      ignore-unfixed: true
      severity: 'CRITICAL,HIGH,MEDIUM,LOW'
      
  - name: Upload Trivy scan results to GitHub Security tab
    uses: github/codeql-action/[email protected]
    if: failure()  || success()
    with:
      sarif_file: 'trivy-results.sarif'         

image

@obounaim
Copy link
Contributor

Hi, we are also facing the same issue.

Github action:

jobs:
  security:
    name: security
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in IaC mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          severity: 'CRITICAL,HIGH'
          hide-progress: false
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

It seems that we are not have issues with our AWS Terraform repositories, however, it is failing with our GCP mono-repo repository.

@obounaim
Copy link
Contributor

@simar7, @nikpivkin I have noticed that some uri fields are missing from the SARIF file, could this be the cause of the upload problem? Example bellow :

       {
          "ruleId": "AVD-GCP-0061",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: \nType: terraform\nVulnerability AVD-GCP-0061\nSeverity: HIGH\nMessage: Cluster does not have master authorized networks enabled.\nLink: [AVD-GCP-0061](https://avd.aquasec.com/misconfig/avd-gcp-0061)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": ""
              }
            }
          ]
        },

@obounaim
Copy link
Contributor

obounaim commented Dec 4, 2024

@simar7, @nikpivkin I have noticed that some uri fields are missing from the SARIF file, could this be the cause of the upload problem? Example bellow :

       {
          "ruleId": "AVD-GCP-0061",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: \nType: terraform\nVulnerability AVD-GCP-0061\nSeverity: HIGH\nMessage: Cluster does not have master authorized networks enabled.\nLink: [AVD-GCP-0061](https://avd.aquasec.com/misconfig/avd-gcp-0061)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": ""
              }
            }
          ]
        },

Any update on this? I think it is more of a Trivy issue than a Trivy-Action.

@ZsoltPath
Copy link

ZsoltPath commented Dec 4, 2024

I've just upgrade to Trivy v0.58.0 (I was waiting for another issue to be fixed) and getting the same error when uploading to codeql.

I can see an empty URI parameter too.
It is for a different finding:

        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: \nType: terraform\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": ""
              }
            }
          ]
        },

And manually removing the section with the empty URI helps.

And it looks dodgy in normal output as well:

 (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

AVD-AWS-0066 (LOW): Function does not have tracing enabled.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
X-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts.


See https://avd.aquasec.com/misconfig/avd-aws-0066
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

@nikpivkin
Copy link
Contributor

nikpivkin commented Dec 4, 2024

Hi @ZsoltPath !

Does trivy load checks bundle by itself or do you override the repository with the checks-bundle-repository flag?

@ZsoltPath
Copy link

Hi @ZsoltPath !

Does trivy load checks bundle by itself or do you override the repository with the checks-bundle-repository flag?

It does on it's own.

2024-12-04T10:28:16Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-04T10:28:16Z	INFO	[misconfig] Need to update the built-in checks
2024-12-04T10:28:16Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-04T10:28:21Z	INFO	[terraform scanner] Scanning root module	file_path="."

@nikpivkin
Copy link
Contributor

@ZsoltPath Do you have a sample aws_lambda_function configuration?

I scanned the config with Trivy v0.58 but did not reproduce the problem:

❯ cat main.tf
resource "aws_lambda_function" "test_lambda" {
  function_name = "lambda_function_name"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "index.test"
}%

❯ trivy conf main.tf -f sarif
...
      "results": [
        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 5,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "main.tf"
              }
            }
          ]
        }
      ],
...

@ZsoltPath
Copy link

@ZsoltPath Do you have a sample aws_lambda_function configuration?

I scanned the config with Trivy v0.58 but did not reproduce the problem:

❯ cat main.tf
resource "aws_lambda_function" "test_lambda" {
  function_name = "lambda_function_name"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "index.test"
}%

❯ trivy conf main.tf -f sarif
...
      "results": [
        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 5,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "main.tf"
              }
            }
          ]
        }
      ],
...

I have 15 aws_lambda_functions in the codebase. All of them through the same module.
And none of them has tracing enabled.
It's hard to tell which one is the offending without any more information.

@nikpivkin
Copy link
Contributor

@ZsoltPath Do you have a sample aws_lambda_function configuration?
I scanned the config with Trivy v0.58 but did not reproduce the problem:

❯ cat main.tf
resource "aws_lambda_function" "test_lambda" {
  function_name = "lambda_function_name"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "index.test"
}%

❯ trivy conf main.tf -f sarif
...
      "results": [
        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 5,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "main.tf"
              }
            }
          ]
        }
      ],
...

I have 15 aws_lambda_functions in the codebase. All of them through the same module. And none of them has tracing enabled. It's hard to tell which one is the offending without any more information.

Are you using this module or a custom one?

@ZsoltPath
Copy link

@ZsoltPath Do you have a sample aws_lambda_function configuration?
I scanned the config with Trivy v0.58 but did not reproduce the problem:

❯ cat main.tf
resource "aws_lambda_function" "test_lambda" {
  function_name = "lambda_function_name"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "index.test"
}%

❯ trivy conf main.tf -f sarif
...
      "results": [
        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 5,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "main.tf"
              }
            }
          ]
        }
      ],
...

I have 15 aws_lambda_functions in the codebase. All of them through the same module. And none of them has tracing enabled. It's hard to tell which one is the offending without any more information.

Are you using this module or a custom one?

No, it's our custom one

@nikpivkin
Copy link
Contributor

nikpivkin commented Dec 4, 2024

@ZsoltPath Do you have a sample aws_lambda_function configuration?
I scanned the config with Trivy v0.58 but did not reproduce the problem:

❯ cat main.tf
resource "aws_lambda_function" "test_lambda" {
  function_name = "lambda_function_name"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "index.test"
}%

❯ trivy conf main.tf -f sarif
...
      "results": [
        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 5,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "main.tf"
              }
            }
          ]
        }
      ],
...

I have 15 aws_lambda_functions in the codebase. All of them through the same module. And none of them has tracing enabled. It's hard to tell which one is the offending without any more information.

Are you using this module or a custom one?

No, it's our custom one

How did you run Trivy, can you show an example of the step?

@ZsoltPath
Copy link

@ZsoltPath Do you have a sample aws_lambda_function configuration?
I scanned the config with Trivy v0.58 but did not reproduce the problem:

❯ cat main.tf
resource "aws_lambda_function" "test_lambda" {
  function_name = "lambda_function_name"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "index.test"
}%

❯ trivy conf main.tf -f sarif
...
      "results": [
        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 5,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "main.tf"
              }
            }
          ]
        }
      ],
...

I have 15 aws_lambda_functions in the codebase. All of them through the same module. And none of them has tracing enabled. It's hard to tell which one is the offending without any more information.

Are you using this module or a custom one?

No, it's our custom one

How did you run Trivy, can you show an example of the step?

I run it in Github Workflow and manually on my Mac too.

      - name: Run Trivy vulnerability scanner in IaC mode
        uses: aquasecurity/[email protected]
        with:
          version: "v0.58.0"
          scan-type: "config"
          tf-vars: "environments/${{ env.TF_ENVIRONMENT }}.tfvars"
          # hide-progress: true
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results.sarif"

or
trivy config --tf-vars environments/dev.tfvars .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants