search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.83k stars 2.34k forks source link

bug: SARIF URI scheme "git" did not match the checkout URI scheme "file" #5003

Closed nikpivkin closed 8 months ago

nikpivkin commented 1 year ago

source: https://github.com/aquasecurity/tfsec/issues/1955

Config example:

module "kubernetes-engine_workload-identity" {
  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  version             = "27.0.0"
  name                = "my-application-name"
  namespace           = "default"
  project_id          = "my-gcp-project-name"
  use_existing_k8s_sa = true
  annotate_k8s_sa     = false
  k8s_sa_name         = "dagster"
  roles               = ["roles/storage.admin"]
}

Output:

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Trivy Vulnerability Scanner",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "name": "Trivy",
          "rules": [
            {
              "id": "AVD-GCP-0007",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "Service accounts should not have roles assigned with excessive privileges"
              },
              "fullDescription": {
                "text": "Service accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-gcp-0007",
              "help": {
                "text": "Misconfiguration AVD-GCP-0007\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Service accounts should not have roles assigned with excessive privileges\nMessage: Service account is granted a privileged role.\nLink: [AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)\nService accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account.",
                "markdown": "**Misconfiguration AVD-GCP-0007**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Service accounts should not have roles assigned with excessive privileges|Service account is granted a privileged role.|[AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)|\n\nService accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "8.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "HIGH"
                ]
              }
            }
          ],
          "version": "0.44.1"
        }
      },
      "results": [
        {
          "ruleId": "AVD-GCP-0007",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "text": "Artifact: git::https:/github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf\nType: terraform\nVulnerability AVD-GCP-0007\nSeverity: HIGH\nMessage: Service account is granted a privileged role.\nLink: [AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "https://github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 91,
                  "startColumn": 1,
                  "endLine": 91,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "git::https:/github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf"
              }
            }
          ]
        }
      ],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///"
        }
      }
    }
  ]
}

I used this service for SARIF validation: https://sarifweb.azurewebsites.net/Validation Validation result:

[GH1005](http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html): runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri: 'git::https:/github.com/terraform-google-modules/terraform-google-kubernetes-engine?ref=v27.0.0/modules/workload-identity/main.tf' is not a file path. GitHub Advanced Security code scanning only displays results whose locations are specified by file paths, either as relative URIs or as absolute URIs that use the 'file' scheme.

Description of the uri property in the SARIF specification.

kmganna commented 1 year ago

I had the same error when I am using the below modules

terraform-aws-modules/lambda/aws terraform-aws-modules/s3-bucket/aws//modules/notification

megalucio commented 1 year ago

Any update on this? The only release that works is 0.8.0. All the others fail.

rusnyder commented 1 year ago

Adding some notes from testing: I cannot reproduce this running trivy installed on my local machine, but I can reproduce this running the same version of trivy using the Docker image.

I'm hoping the reproductions below help!

OS: MacOS 13.5.2 Arch: M1 Pro (amd64) Trivy: 0.45.1 (installed via Homebrew)

Works (local)

$ trivy --version
Version: 0.45.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-22 00:23:59.552431691 +0000 UTC
  NextUpdate: 2023-09-22 06:23:59.552431291 +0000 UTC
  DownloadedAt: 2023-09-22 04:44:16.227725 +0000 UTC
Policy Bundle:
  Digest: sha256:fd5f1ce3d8efb1fe158cb41f9adb9d7c7cc5c4c863b261053c962e6d950350b3
  DownloadedAt: 2023-09-22 04:44:24.462946 +0000 UTC

# Grep finds no invalid results
$ trivy repo --quiet \
    --scanners config \
    --format sarif \
    https://github.com/terraform-aws-modules/terraform-aws-lambda \
  | grep '"uri": "git:'

Broken (docker)

$ docker run --rm ghcr.io/aquasecurity/trivy:0.45.1 --version
Version: 0.45.1

# Grep finds several invalid URIs in result
$ docker run --rm ghcr.io/aquasecurity/trivy:0.45.1 repo --quiet \
    --scanners config \
    --format sarif \
    https://github.com/terraform-aws-modules/terraform-aws-lambda \
  | grep '"uri": "git:'
                  "uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.0.1/main.tf",
                  "uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=v5.0.0/main.tf",
                  "uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=v5.0.0/main.tf",
                  "uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=v5.0.0/main.tf",
                  "uri": "git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=v5.0.0/main.tf",
maxbrunet commented 1 year ago

I think this was introduced by this PR aquasecurity/defsec#1202 which basically reverted this year-old fix aquasecurity/defsec#889

Edit: maybe not by looking at all the dates and contexts, but it seems related Edit 2: tfsec used defsec for its sarif format, not Trivy, but there may be lessons that can be learned from it

See also GitHub Code Scanning API limitations for the SARIF format: https://github.com/github/codeql-action/issues/754#issuecomment-930337869

maxbrunet commented 1 year ago

It seems the PR did not fixed it, I still get the error with Trivy v0.46.0, URI schemes are not removed 😕

$ trivy version
Version: v0.46.0

$ trivy config --format sarif --output trivy-results.sarif .

$ jq '[
  .runs[].results[].locations[].physicalLocation.artifactLocation.uri
  | select(startswith("git::https:/"))
] | length' trivy-results.sarif
41

I am currently working around it with: 

sed -i 's#git::https:/##g' trivy-results.sarif
musabmirza-amperon commented 1 year ago

Same in 0.47.0 🤔

jesse-eiq commented 9 months ago

Still an issue in 0.49.0. Thanks @maxbrunet for this quick and dirty fix!

carjessu-trm commented 8 months ago

Unfortunately, still an issue for us. Thanks, @maxbrunet, for the temporary fix!

erzz commented 8 months ago

also used the workaround above with current version of Trivy - works great but any chance you can reopen this @knqyf263 ?

knqyf263 commented 8 months ago

@nikpivkin Can you please take a look?