Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sarif output appears to be duplicated and invalid #704

Open
flcdrg opened this issue Mar 10, 2023 · 7 comments
Open

sarif output appears to be duplicated and invalid #704

flcdrg opened this issue Mar 10, 2023 · 7 comments
Labels
bug Something isn't working

Comments

@flcdrg
Copy link

flcdrg commented Mar 10, 2023

Describe the bug

Output from jf build number --vuln=true --fail=true --server-id "server" --format sarif does not validate when uploaded to https://sarifweb.azurewebsites.net/Validation

The actual output is duplicated and contains invalid elements.

Current behavior

This is the output from the above command.

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "informationUri": "https://jfrog.com/xray/",
          "name": "JFrog Xray",
          "rules": [
            {
              "id": "XRAY-260082",
              "shortDescription": null,
              "help": {
                "markdown": ".NET and Visual Studio Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-23267, CVE-2022-29145."
              },
              "properties": {
                "security-severity": "7.5"
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "XRAY-260082",
          "ruleIndex": 0,
          "message": {
            "text": "[CVE-2022-29117] Upgrade microsoft.owin:4.2.0 to [4.2.2]"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": " Package Descriptor"
                }
              }
            }
          ]
        },
        {
          "ruleId": "XRAY-260082",
          "ruleIndex": 0,
          "message": {
            "text": "[CVE-2022-29117] Upgrade microsoft.owin:4.2.0 to [4.2.2]"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": " Package Descriptor"
                }
              }
            }
          ]
        }
      ]
    }
  ]
}
{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "informationUri": "https://jfrog.com/xray/",
          "name": "JFrog Xray",
          "rules": [
            {
              "id": "XRAY-260082",
              "shortDescription": null,
              "help": {
                "markdown": ".NET and Visual Studio Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-23267, CVE-2022-29145."
              },
              "properties": {
                "security-severity": "7.5"
              }
            },
            {
              "id": "XRAY-138885",
              "shortDescription": null,
              "help": {
                "markdown": "Newtonsoft Json.NET (Newtonsoft.Json) JSON Deserialization Nested Object Recursion Handling Stack Exhaustion DoS Weakness"
              },
              "properties": {
                "security-severity": "0.0"
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "XRAY-260082",
          "ruleIndex": 0,
          "message": {
            "text": "[CVE-2022-29117] Upgrade microsoft.owin:4.2.0 to [4.2.2]"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": " Package Descriptor"
                }
              }
            }
          ]
        },
        {
          "ruleId": "XRAY-138885",
          "ruleIndex": 1,
          "message": {
            "text": "[XRAY-138885] Upgrade newtonsoft.json:12.0.1 to [13.0.1]"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": " Package Descriptor"
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

No, I didn't paste twice - the output seems to be duplicated (such that it is not even valid JSON!

Removing the duplication, it also contains errors according to the online validator.

  • runs[0].tool.driver.rules[0].shortDescription: The schema requires one of the types [Object], but a token of type 'String' was found
  • runs[0].tool.driver.rules[0].help: The required property 'text' is missing.
  • runs[0].tool.driver: The tool 'JFrog Xray' does not provide any of the version-related properties 'version', 'semanticVersion', 'dottedQuadFileVersion'. Providing version information enables the log file consumer to determine whether the file was produced by an up to date version, and to avoid accidentally comparing log files produced by different tool versions
  • runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri: The string ' Package Descriptor' is not a valid URI reference. URIs must conform to RFC 3986.
  • runs[0].results[1].locations[0].physicalLocation.artifactLocation.uri: The string ' Package Descriptor' is not a valid URI reference. URIs must conform to RFC 3986.

Reproduction steps

Ran command in description against a .NET project with a vulnerable NuGet package.

Expected behavior

Valid sarif outputted

JFrog CLI-Core version

2.34.6

JFrog CLI version (if applicable)

2.34.6

Operating system type and version

Windows 2019

JFrog Artifactory version

Current hosted version

JFrog Xray version

Current hosted version
@flcdrg flcdrg added the bug Something isn't working label Mar 10, 2023
@flcdrg
Copy link
Author

flcdrg commented Mar 10, 2023

I suspect the duplication might be due to using --vuln=true

That's not particularly useful if it is just concatenating two JSON outputs together if that is the case

@sverdlov93
Copy link
Contributor

Hi @flcdrg ,
Thanks for reporting this issue.
We're sorry for the inconvenience caused by this.
First, it's indeed an issue with our sarif format creation and should be fixed.
Regardless of that issue, can you please share the reason behind using --vuln flag here?

@sverdlov93 sverdlov93 mentioned this issue Mar 12, 2023
Merged
4 tasks
@flcdrg
Copy link
Author

flcdrg commented Mar 13, 2023

I was under the impression that would result in addition information being included the the report, which sounded useful?

@sverdlov93
Copy link
Contributor

Running jf bs with --vuln flag is actually running 2 scans and prints 2 different tables.
The first table is the regular build scan security violations according to Xray watches and policies assigned to that build.
The second table is an additional table of all vulnerabilities regardless of any Xray watch and policy.
The all-vulns table should not appear on the sarif data.

@sverdlov93 sverdlov93 mentioned this issue Mar 13, 2023
Merged
4 tasks
@sverdlov93
Copy link
Contributor

Hi @flcdrg
JFrog CLI 2.35.0 is released and should fix the above issue.
Looking forward to your feedback on it.

@Lykathia
Copy link
Contributor

Lykathia commented Jun 12, 2023
edited
Loading

Still an issue, at least w.r.t. invalid output. This is using CLI version 2.40.0

Error details: instance.runs[0].tool.driver.rules[1].help requires property "text"

  {
    "path": [
      "runs",
      0,
      "tool",
      "driver",
      "rules",
      1,
      "help"
    ],
    "property": "instance.runs[0].tool.driver.rules[1].help",
    "message": "requires property \"text\"",
    "schema": {
      "description": "A message string or message format string rendered in multiple formats.",
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "text": {
          "description": "A plain text message string or format string.",
          "type": "string"
        },
        "markdown": {
          "description": "A Markdown message string or format string.",
          "type": "string"
        },
        "properties": {
          "description": "Key/value pairs that provide additional information about the message.",
          "$ref": "#/definitions/propertyBag"
        }
      },
      "required": [
        "text"
      ]
    },
    "instance": {
      "markdown": "A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0820, CVE-2019-0980."
    },
    "name": "required",
    "argument": "text",
    "stack": "instance.runs[0].tool.driver.rules[1].help requires property \"text\""
  }

Error details: instance.runs[0].tool.driver.rules[1].shortDescription is not of a type(s) object
  {
    "path": [
      "runs",
      0,
      "tool",
      "driver",
      "rules",
      1,
      "shortDescription"
    ],
    "property": "instance.runs[0].tool.driver.rules[1].shortDescription",
    "message": "is not of a type(s) object",
    "schema": {
      "description": "A message string or message format string rendered in multiple formats.",
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "text": {
          "description": "A plain text message string or format string.",
          "type": "string"
        },
        "markdown": {
          "description": "A Markdown message string or format string.",
          "type": "string"
        },
        "properties": {
          "description": "Key/value pairs that provide additional information about the message.",
          "$ref": "#/definitions/propertyBag"
        }
      },
      "required": [
        "text"
      ]
    },
    "instance": null,
    "name": "type",
    "argument": [
      "object"
    ],
    "stack": "instance.runs[0].tool.driver.rules[1].shortDescription is not of a type(s) object"
  }

text is missing and shortDescription is null in the original output.

@ipowellBT
Copy link

While not completely valid SARIF, as of version 2.52.1 of the jfrog cli, the SARIF produced by jf audit and jf docker scan is accepted by GitHub Security Centre.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@flcdrg @Lykathia @sverdlov93 @ipowellBT