Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not check unmanaged resources #8054

Open
2 tasks done
nikpivkin opened this issue Dec 5, 2024 Discussed in #8044 · 0 comments
Open
2 tasks done

fix: do not check unmanaged resources #8054

nikpivkin opened this issue Dec 5, 2024 Discussed in #8044 · 0 comments
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.59.0

Comments

@nikpivkin
Copy link
Contributor

Trivy creates dummy resources to store orphan resources, i.e. without parent resources. For example, if no related aws_security_group_rule resources are found for aws_security_group resources, Trivy will create a dummy group to store the rules. We should not be checking out dummy resources.

Discussed in #8044

Originally posted by obounaim December 4, 2024

Description

I believe that Trivy is generating an incorrect SARIF file. This issue affects the ability to properly integrate the results into Github advanced security. This issue occurs when we scan GCP's Terraform resources.

Environment:

  • Trivy version: v0.57.1
  • Trivy Action version: 0.29

Github error:

Waiting for processing to finish
  Analysis upload status is pending.
  ##[debug]Analysis processing is still pending...
  Analysis upload status is failed.
  ::endgroup::
Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location

Original Github Issue: 408
have noticed that some uri fields are missing from the SARIF file, could this be the cause of the upload problem? Example bellow :

       {
          "ruleId": "AVD-GCP-0061",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: \nType: terraform\nVulnerability AVD-GCP-0061\nSeverity: HIGH\nMessage: Cluster does not have master authorized networks enabled.\nLink: [AVD-GCP-0061](https://avd.aquasec.com/misconfig/avd-gcp-0061)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": ""
              }
            }
          ]
        },

Regards,

Desired Behavior

The generate SARIF should not get rejected by Github. It works for AWS Terraform resources, but when we scan GCP Terraform resources Github rejects the SARIF file.

Actual Behavior

The generate SARIF should not get rejected by Github. It works for AWS Terraform resources, but when we scan GCP Terraform resources Github rejects the SARIF file.

Reproduction Steps

1. Scan GCP terraform resources, and generate the results in a SARIF file
2. Upload the SARIF file to Github Advance Security

Target

None

Scanner

Misconfiguration

Output Format

SARIF

Mode

Standalone

Debug Output

The scanning works fine.

Operating System

Ubuntu 22.04.5

Version

v0.57.1

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Dec 5, 2024
This was referenced Dec 5, 2024
Merged
Merged
@nikpivkin nikpivkin changed the title fix: not to check unmanaged resources fix: do not check unmanaged resources Dec 5, 2024
@simar7 simar7 added this to the v0.59.0 milestone Dec 6, 2024
@nikpivkin nikpivkin self-assigned this Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.59.0
Development

No branches or pull requests
2 participants
@simar7 @nikpivkin