search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.12k stars 2.28k forks source link

SARIF output prepends `library/` in front of file locations #2960

Closed multani closed 1 year ago

multani commented 2 years ago

Description

I'm testing the SARIF output on various repositories, and it seems in some cases, Trivy prepends the artifact locations with a library/ prefix. This results in a location which is not the right one and I don't see an obvious way to reconstruct the location correctly.

For example, in this sample repository https://github.com/multani/sarif-sample-python:

Running trivy fs --format sarif . returns the following artifact locations (there are several of them, this is just a sample):

          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]

Although the requirements.txt file is at the root of the repository, there's an additional library/ in front of it.

This can be tested using:

$ trivy fs . --format sarif | jq -r '.runs[].results[].locations[].physicalLocation.artifactLocation.uri'
2022-09-29T18:16:51.867+0200    INFO    Vulnerability scanning is enabled
2022-09-29T18:16:51.867+0200    INFO    Secret scanning is enabled
2022-09-29T18:16:51.867+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-29T18:16:51.867+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-09-29T18:16:51.874+0200    INFO    Number of language-specific files: 1
2022-09-29T18:16:51.874+0200    INFO    Detecting pip vulnerabilities...
library/requirements.txt
library/requirements.txt
library/requirements.txt
library/requirements.txt
library/requirements.txt
library/requirements.txt
library/requirements.txt
library/requirements.txt
library/requirements.txt

In the same repository, running the config Trivy command doesn't produce the same kind of location:

          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "Dockerfile",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]

and this one is actually good IMO:

$ trivy config . --format sarif | jq -r '.runs[].results[].locations[].physicalLocation.artifactLocation.uri'
2022-09-29T18:21:11.483+0200    INFO    Misconfiguration scanning is enabled
2022-09-29T18:21:11.717+0200    INFO    Detected config files: 1
Dockerfile
Dockerfile

What did you expect to happen?

I expect the location of the artifact to be correct, relatively to where Trivy was run.

What happened instead?

In some cases (with the fs command, at least), the location is prefixed with a library/ prefix.

Output of run with -debug:

$ trivy fs . --format sarif --debug
2022-09-29T18:23:24.651+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-29T18:23:24.662+0200    DEBUG   cache dir:  /home/jon/.cache/trivy
2022-09-29T18:23:24.662+0200    DEBUG   DB update was skipped because the local DB is the latest
2022-09-29T18:23:24.662+0200    DEBUG   DB Schema: 2, UpdatedAt: 2022-09-29 12:08:18.974080174 +0000 UTC, NextUpdate: 2022-09-29 18:08:18.974079574 +0000 UTC, DownloadedAt: 2022-09-29 16:07:29.266510186 +0000 UTC
2022-09-29T18:23:24.662+0200    INFO    Vulnerability scanning is enabled
2022-09-29T18:23:24.662+0200    DEBUG   Vulnerability type:  [os library]
2022-09-29T18:23:24.662+0200    INFO    Secret scanning is enabled
2022-09-29T18:23:24.662+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-29T18:23:24.662+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-09-29T18:23:24.663+0200    DEBUG   No secret config detected: trivy-secret.yaml
2022-09-29T18:23:24.672+0200    DEBUG   OS is not detected.
2022-09-29T18:23:24.672+0200    DEBUG   Detected OS: unknown
2022-09-29T18:23:24.672+0200    INFO    Number of language-specific files: 1
2022-09-29T18:23:24.672+0200    INFO    Detecting pip vulnerabilities...
2022-09-29T18:23:24.672+0200    DEBUG   Detecting library vulnerabilities, type: pip, path: requirements.txt
{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Trivy Vulnerability Scanner",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "name": "Trivy",
          "rules": [
            {
              "id": "CVE-2022-28346",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2022-28346"
              },
              "fullDescription": {
                "text": "An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2022-28346",
              "help": {
                "text": "Vulnerability CVE-2022-28346\nSeverity: CRITICAL\nPackage: django\nFixed Version: 4.0.4, 3.2.13, 2.2.28\nLink: [CVE-2022-28346](https://avd.aquasec.com/nvd/cve-2022-28346)\nAn issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.",
                "markdown": "**Vulnerability CVE-2022-28346**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|django|4.0.4, 3.2.13, 2.2.28|[CVE-2022-28346](https://avd.aquasec.com/nvd/cve-2022-28346)|\n\nAn issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "9.8",
                "tags": [
                  "vulnerability",
                  "security",
                  "CRITICAL"
                ]
              }
            },
            {
              "id": "CVE-2022-28347",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2022-28347"
              },
              "fullDescription": {
                "text": "A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2022-28347",
              "help": {
                "text": "Vulnerability CVE-2022-28347\nSeverity: CRITICAL\nPackage: django\nFixed Version: 4.0.4, 3.2.13, 2.2.28\nLink: [CVE-2022-28347](https://avd.aquasec.com/nvd/cve-2022-28347)\nA SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.",
                "markdown": "**Vulnerability CVE-2022-28347**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|django|4.0.4, 3.2.13, 2.2.28|[CVE-2022-28347](https://avd.aquasec.com/nvd/cve-2022-28347)|\n\nA SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "9.8",
                "tags": [
                  "vulnerability",
                  "security",
                  "CRITICAL"
                ]
              }
            },
            {
              "id": "CVE-2022-34265",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2022-34265"
              },
              "fullDescription": {
                "text": "An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2022-34265",
              "help": {
                "text": "Vulnerability CVE-2022-34265\nSeverity: CRITICAL\nPackage: django\nFixed Version: 3.2.14, 4.0.6\nLink: [CVE-2022-34265](https://avd.aquasec.com/nvd/cve-2022-34265)\nAn issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.",
                "markdown": "**Vulnerability CVE-2022-34265**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|django|3.2.14, 4.0.6|[CVE-2022-34265](https://avd.aquasec.com/nvd/cve-2022-34265)|\n\nAn issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "9.8",
                "tags": [
                  "vulnerability",
                  "security",
                  "CRITICAL"
                ]
              }
            },
            {
              "id": "CVE-2021-45115",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2021-45115"
              },
              "fullDescription": {
                "text": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-45115",
              "help": {
                "text": "Vulnerability CVE-2021-45115\nSeverity: HIGH\nPackage: django\nFixed Version: 2.2.26, 3.2.11, 4.0.1\nLink: [CVE-2021-45115](https://avd.aquasec.com/nvd/cve-2021-45115)\nAn issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.",
                "markdown": "**Vulnerability CVE-2021-45115**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|django|2.2.26, 3.2.11, 4.0.1|[CVE-2021-45115](https://avd.aquasec.com/nvd/cve-2021-45115)|\n\nAn issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "7.5",
                "tags": [
                  "vulnerability",
                  "security",
                  "HIGH"
                ]
              }
            },
            {
              "id": "CVE-2021-45116",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2021-45116"
              },
              "fullDescription": {
                "text": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language\u0026#39;s variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-45116",
              "help": {
                "text": "Vulnerability CVE-2021-45116\nSeverity: HIGH\nPackage: django\nFixed Version: 2.2.26, 3.2.11, 4.0.1\nLink: [CVE-2021-45116](https://avd.aquasec.com/nvd/cve-2021-45116)\nAn issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.",
                "markdown": "**Vulnerability CVE-2021-45116**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|django|2.2.26, 3.2.11, 4.0.1|[CVE-2021-45116](https://avd.aquasec.com/nvd/cve-2021-45116)|\n\nAn issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "7.5",
                "tags": [
                  "vulnerability",
                  "security",
                  "HIGH"
                ]
              }
            },
            {
              "id": "CVE-2022-23833",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2022-23833"
              },
              "fullDescription": {
                "text": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2022-23833",
              "help": {
                "text": "Vulnerability CVE-2022-23833\nSeverity: HIGH\nPackage: django\nFixed Version: 2.2.27, 3.2.12, 4.0.2\nLink: [CVE-2022-23833](https://avd.aquasec.com/nvd/cve-2022-23833)\nAn issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.",
                "markdown": "**Vulnerability CVE-2022-23833**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|django|2.2.27, 3.2.12, 4.0.2|[CVE-2022-23833](https://avd.aquasec.com/nvd/cve-2022-23833)|\n\nAn issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "7.5",
                "tags": [
                  "vulnerability",
                  "security",
                  "HIGH"
                ]
              }
            },
            {
              "id": "CVE-2022-36359",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2022-36359"
              },
              "fullDescription": {
                "text": "An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2022-36359",
              "help": {
                "text": "Vulnerability CVE-2022-36359\nSeverity: HIGH\nPackage: django\nFixed Version: 3.2.15, 4.0.7\nLink: [CVE-2022-36359](https://avd.aquasec.com/nvd/cve-2022-36359)\nAn issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.",
                "markdown": "**Vulnerability CVE-2022-36359**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|django|3.2.15, 4.0.7|[CVE-2022-36359](https://avd.aquasec.com/nvd/cve-2022-36359)|\n\nAn issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "8.8",
                "tags": [
                  "vulnerability",
                  "security",
                  "HIGH"
                ]
              }
            },
            {
              "id": "CVE-2021-45452",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2021-45452"
              },
              "fullDescription": {
                "text": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it."
              },
              "defaultConfiguration": {
                "level": "warning"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-45452",
              "help": {
                "text": "Vulnerability CVE-2021-45452\nSeverity: MEDIUM\nPackage: django\nFixed Version: 2.2.26, 3.2.11, 4.0.1\nLink: [CVE-2021-45452](https://avd.aquasec.com/nvd/cve-2021-45452)\nStorage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.",
                "markdown": "**Vulnerability CVE-2021-45452**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|django|2.2.26, 3.2.11, 4.0.1|[CVE-2021-45452](https://avd.aquasec.com/nvd/cve-2021-45452)|\n\nStorage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "5.3",
                "tags": [
                  "vulnerability",
                  "security",
                  "MEDIUM"
                ]
              }
            },
            {
              "id": "CVE-2022-22818",
              "name": "LanguageSpecificPackageVulnerability",
              "shortDescription": {
                "text": "CVE-2022-22818"
              },
              "fullDescription": {
                "text": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."
              },
              "defaultConfiguration": {
                "level": "warning"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2022-22818",
              "help": {
                "text": "Vulnerability CVE-2022-22818\nSeverity: MEDIUM\nPackage: django\nFixed Version: 2.2.27, 3.2.12, 4.0.2\nLink: [CVE-2022-22818](https://avd.aquasec.com/nvd/cve-2022-22818)\nThe {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
                "markdown": "**Vulnerability CVE-2022-22818**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|django|2.2.27, 3.2.12, 4.0.2|[CVE-2022-22818](https://avd.aquasec.com/nvd/cve-2022-22818)|\n\nThe {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "6.1",
                "tags": [
                  "vulnerability",
                  "security",
                  "MEDIUM"
                ]
              }
            }
          ],
          "version": "0.32.1"
        }
      },
      "results": [
        {
          "ruleId": "CVE-2022-28346",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2022-28346\nSeverity: CRITICAL\nFixed Version: 4.0.4, 3.2.13, 2.2.28\nLink: [CVE-2022-28346](https://avd.aquasec.com/nvd/cve-2022-28346)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2022-28347",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2022-28347\nSeverity: CRITICAL\nFixed Version: 4.0.4, 3.2.13, 2.2.28\nLink: [CVE-2022-28347](https://avd.aquasec.com/nvd/cve-2022-28347)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2022-34265",
          "ruleIndex": 2,
          "level": "error",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2022-34265\nSeverity: CRITICAL\nFixed Version: 3.2.14, 4.0.6\nLink: [CVE-2022-34265](https://avd.aquasec.com/nvd/cve-2022-34265)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2021-45115",
          "ruleIndex": 3,
          "level": "error",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2021-45115\nSeverity: HIGH\nFixed Version: 2.2.26, 3.2.11, 4.0.1\nLink: [CVE-2021-45115](https://avd.aquasec.com/nvd/cve-2021-45115)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2021-45116",
          "ruleIndex": 4,
          "level": "error",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2021-45116\nSeverity: HIGH\nFixed Version: 2.2.26, 3.2.11, 4.0.1\nLink: [CVE-2021-45116](https://avd.aquasec.com/nvd/cve-2021-45116)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2022-23833",
          "ruleIndex": 5,
          "level": "error",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2022-23833\nSeverity: HIGH\nFixed Version: 2.2.27, 3.2.12, 4.0.2\nLink: [CVE-2022-23833](https://avd.aquasec.com/nvd/cve-2022-23833)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2022-36359",
          "ruleIndex": 6,
          "level": "error",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2022-36359\nSeverity: HIGH\nFixed Version: 3.2.15, 4.0.7\nLink: [CVE-2022-36359](https://avd.aquasec.com/nvd/cve-2022-36359)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2021-45452",
          "ruleIndex": 7,
          "level": "warning",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2021-45452\nSeverity: MEDIUM\nFixed Version: 2.2.26, 3.2.11, 4.0.1\nLink: [CVE-2021-45452](https://avd.aquasec.com/nvd/cve-2021-45452)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2022-22818",
          "ruleIndex": 8,
          "level": "warning",
          "message": {
            "text": "Package: django\nInstalled Version: 4.0.0\nVulnerability CVE-2022-22818\nSeverity: MEDIUM\nFixed Version: 2.2.27, 3.2.12, 4.0.2\nLink: [CVE-2022-22818](https://avd.aquasec.com/nvd/cve-2022-22818)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "library/requirements.txt",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              }
            }
          ]
        }
      ],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///"
        }
      }
    }
  ]
}

Output of trivy -v:

Version: 0.32.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-09-29 12:08:18.974080174 +0000 UTC
  NextUpdate: 2022-09-29 18:08:18.974079574 +0000 UTC
  DownloadedAt: 2022-09-29 16:07:29.266510186 +0000 UTC
github-actions[bot] commented 1 year ago

This issue is stale because it has been labeled with inactivity.

multani commented 1 year ago

Still valid

github-actions[bot] commented 1 year ago

This issue is stale because it has been labeled with inactivity.

multani commented 1 year ago

This is due to the ToPathUri which assumes that everything passed to it is a Docker image: https://github.com/aquasecurity/trivy/blob/d99a7b82f7798c7bd9ee1ad088a4e480a628babb/pkg/report/sarif_test.go#L368-L393

shayaun-voxel commented 1 year ago

We're trying to configure trivy as an custom blocking linter and this issue is making it difficult for us to continue since trivy is returning bad paths in the output. Wondering if there was plans to fix this ?

multani commented 1 year ago

@shayaun-voxel I'm passively having a look. It mostly comes from this change IMO, but I haven't found what a proper fix would be yet.

afdesk commented 1 year ago

@shayaun-voxel I'm passively having a look. It mostly comes from this change IMO, but I haven't found what a proper fix would be yet.

it's interesting. I'd take a look at this function: https://github.com/aquasecurity/trivy/blob/main/pkg/report/sarif.go#L273-L284

I'll do it, when i have more time