search

aws-actions / vulnerability-scan-github-action-for-amazon-inspector

Scan artifacts with Amazon Inspector from GitHub Actions workflows.
https://docs.aws.amazon.com/inspector/
MIT License
17 stars 4 forks source link

`skip-files` Inputs causes inspector-sbomgen to panic/crash #67

Closed snooyen closed 2 weeks ago

snooyen commented 2 weeks ago

Description

Attempting to workaround the 2000 component limit by leveraging the --skip-files argument in inspector-sbomgen, but it results in a runtime panic.

Expected Behavior

Expect the action to succeed with components skipped.

Actual Behavior

Run aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.2
  with:
    artifact_type: container
    artifact_path: REDACTED
    display_vulnerability_findings: enabled
    skip_files: "/usr/local/lib/node_modules/npm/package.json"
    output_sbom_path: ./sbom_9863127356.json
    output_inspector_scan_path: inspector_scan_9863127356.json
    output_inspector_scan_path_csv: inspector_scan_9863127356.csv
    output_inspector_scan_path_markdown: inspector_scan_9863127356.md
    output_inspector_dockerfile_scan_path_csv: inspector_dockerfile_scan_9863127356.csv
    output_inspector_dockerfile_scan_path_markdown: inspector_dockerfile_scan_9863127356.md
    sbomgen_version: latest
    critical_threshold: 0
    high_threshold: 0
    medium_threshold: 0
    low_threshold: 0
    other_threshold: 0
    scanners: ''
    skip_scanners: ''
    timeout: 600
  env:
    AWS_DEFAULT_REGION: us-west-2
    AWS_REGION: us-west-2
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***
/usr/bin/docker run --name c5ccb99b99a04e4477792214a47d4b5a34b_c21723 --label 762c5c --workdir /github/workspace --rm -e "AWS_DEFAULT_REGION" -e "AWS_REGION" -e "AWS_ACCESS_KEY_ID" -e "AWS_SECRET_ACCESS_KEY" -e "AWS_SESSION_TOKEN" -e "INPUT_ARTIFACT_TYPE" -e "INPUT_ARTIFACT_PATH" -e "INPUT_DISPLAY_VULNERABILITY_FINDINGS" -e "INPUT_SKIP_FILES" -e "INPUT_OUTPUT_SBOM_PATH" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH_CSV" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH_MARKDOWN" -e "INPUT_OUTPUT_INSPECTOR_DOCKERFILE_SCAN_PATH_CSV" -e "INPUT_OUTPUT_INSPECTOR_DOCKERFILE_SCAN_PATH_MARKDOWN" -e "INPUT_SBOMGEN_VERSION" -e "INPUT_CRITICAL_THRESHOLD" -e "INPUT_HIGH_THRESHOLD" -e "INPUT_MEDIUM_THRESHOLD" -e "INPUT_LOW_THRESHOLD" -e "INPUT_OTHER_THRESHOLD" -e "INPUT_SCANNERS" -e "INPUT_SKIP_SCANNERS" -e "INPUT_TIMEOUT" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/_work/_temp/_github_home":"/github/home" -v "/home/runner/_work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/_work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/_work/cloud-api/cloud-api":"/github/workspace" 762c5c:cb99b99a04e4477792214a47d4b5a34b  "--artifact-type=container" "--artifact-path=REDACTED" "--display-vuln-findings=enabled" "--out-sbom=./sbom_9863127356.json" "--out-scan=inspector_scan_9863127356.json" "--out-scan-csv=inspector_scan_9863127356.csv" "--out-scan-markdown=inspector_scan_9863127356.md" "--out-dockerfile-scan-csv=inspector_dockerfile_scan_9863127356.csv" "--out-dockerfile-scan-md=inspector_dockerfile_scan_9863127356.md" "--sbomgen-version=latest" "--thresholds" "--critical=0" "--high=0" "--medium=0" "--low=0" "--other=0" "--scanners=''" "--skip-scanners=''" "--skip-files=\"/usr/local/lib/node_modules/npm/package.json\"" "--timeout=600"
time="2024-07-09 19:42:03" level=info msg="downloading and installing inspector-sbomgen version latest" file="orchestrator.py:17"
time="2024-07-09 19:42:04" level=info msg="generating SBOM from artifact" file="orchestrator.py:21"
time="2024-07-09 19:42:04" level=info msg="setting --skip-files: "/usr/local/lib/node_modules/npm/package.json"" file="orchestrator.py:197"
time="2024-07-09T19:42:04Z" level=info msg="Amazon Inspector SBOM Generator v1.3.0 - linux amd64 - Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved"
time="2024-07-09T19:42:04Z" level=info msg="[/usr/local/bin/inspector-sbomgen container --image REDACTED --outfile ./sbom_9863127356.json --disable-progress-bar --timeout 600 --skip-files /usr/local/lib/node_modules/npm/package.json]"
time="2024-07-09T19:42:04Z" level=info msg="writing log file to: /github/home/.inspector-sbomgen/logs/inspector-sbomgen-log_2024-07-09_19-42-04.txt"
time="2024-07-09 19:42:04" level=info msg="initializing target artifact" file="coreV1.go:34:"
time="2024-07-09 19:42:04" level=info msg="created temporary staging directory: /github/home/.inspector-sbomgen/artifact-cache957860256" file="stagingdir.go:60:"
time="2024-07-09 19:42:04" level=info msg="checking if image is a tarball" file="imageInit.go:28:"
time="2024-07-09 19:42:04" level=info msg="checking if image exists in the local Docker daemon" file="imageInit.go:37:"
time="2024-07-09 19:42:04" level=info msg="image appears to be locally cached" file="imageInit.go:40:"
time="2024-07-09 19:42:10" level=info msg="executing pre-processors" file="coreV1.go:44:"
time="2024-07-09 19:42:10" level=info msg="initializing analyzers" file="artifactContainer.go:135:"
time="2024-07-09 19:42:10" level=info msg="inventorying the image; this may take some time depending on your image size..." file="artifactContainer.go:140:"
panic: runtime error: index out of range [2] with length 2

goroutine 68 [running]:
github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage.isFileExcluded({0xc000127438, 0x4}, {0xc0006b5ca0?, 0x1, 0x7f37047fa5b8?})
    github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage/localDockerImage.go:170 +0x1a6
github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage.unpackLayer({0xf26b60?, 0xc0006c4000}, {0xc0006ab780, 0x37}, 0xbebc200, {0xc0006b5ca0, 0x1, 0x1})
    github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage/localDockerImage.go:105 +0x251
github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage.unpackLocalDockerImage({0x7ffd0750d5f8, 0x6d}, {0xc0006ab780, 0x37}, 0xc000386db8?, {0xc0006b5ca0, 0x1, 0x1})
    github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage/localDockerImage.go:68 +0x579
github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage.(*ArtifactContainer).walkLocalImage(0xc0008ac500, {0xc000386ef8?, 0xc48bc5?}, 0xc32a25?, {0xc000386f58?, 0xc48b59?, 0xc329a7?})
    github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage/imageIO.go:131 +0x110
github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage.(*ArtifactContainer).WalkArtifact(0xc0008ac500, {0x0, 0x0}, 0x0?, {0xc0006b5ca0, 0x1, 0x1})
    github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage/imageIO.go:40 +0x145
github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage.invokeWalkArtifact({0xf361a0, 0xc0008ac500})
    github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage/artifactContainer.go:157 +0x54
created by github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage.(*ArtifactContainer).PreProcess in goroutine 29
    github.com/aws/amazon-inspector-sbom-generator/pkg/artifacts/containerImage/artifactContainer.go:143 +0x152
time="2024-07-09 19:42:15" level=error msg="unable to generate SBOM with inspector-sbomgen" file="orchestrator.py:451"

Steps to Reproduce

Specify skip-files input in action call. I've tried several variants such as 

skip_files: /usr/local/lib/node_modules/npm/package.json
skip_files: '"/usr/local/lib/node_modules/npm/package.json"'
skip_files: '/usr/local/lib/node_modules/npm/package.json'
skip_files: "/usr/local/lib/node_modules/npm/package.json"
skip_files: "'/usr/local/lib/node_modules/npm/package.json'"

Other Information

Running on self-hosted GHA runners via actions-runner-controller.

bluesentinelsec commented 2 weeks ago

Hello, thank you for reaching out. We are confirming receipt of your issue. We will begin to triage the problem, and will report back when we have pertinent updates.

bluesentinelsec commented 2 weeks ago

We have triaged problem.

Of the action inputs you provided, this is correct:

skip_files: "/usr/local/lib/node_modules/npm/package.json"

However, we have determined the panic is caused by an issue in our inventory agent, inspector-sbomgen, meaning the action will continue to fail until the issue is resolved.

We are presently working on a hotfix to address this issue.

I will report back with an ETA and any workarounds once we're confident in the solution.

Than you for your patience and apologies for the inconvenience.

bluesentinelsec commented 2 weeks ago

Update: we have a fix in place to resolve this issue. We are planning on deploying the fix early next week. I will let you know when the fix is available for your use.

bluesentinelsec commented 2 weeks ago

@snooyen We have fixed the issue in inspector-sbomgen that was causing the panic when using the skip_files argument.

I was able to successfully execute the GitHub Action against node:latest while using this line:

skip_files: "/usr/local/lib/node_modules/npm/package.json"

Please update your workflows to point to sbomgen v1.3.1 or latest to resolve the skip-files panic:

# from your GitHub Actions workflow files
sbomgen_version: "1.3.1"

Keep in mind these changes only resolve the panic - I do not know whether this will resolve the 2,000+ component count issue because it depends on your image's configuration.

inspector-sbomgen does not presently support splitting the Inspector scan into multiple requests. If this is functionality you would like, you are welcome to open a issue ticket requesting this feature. Doing so helps us prioritize which features to implement.

Alternatively, you may consider writing your own CI/CD integration on top of inspector-sbomgen to handle splitting / chunking the SBOM into multiple Inspector requests. You can find general documentation on custom CI/CD integrations on our official docs: https://docs.aws.amazon.com/inspector/latest/user/cicd-custom.html

bluesentinelsec commented 2 weeks ago

I am marking this issue as resolved.

Please reach out to us again if you need further support.

snooyen commented 2 weeks ago

Thanks for the prompt response and resolution! The component limit actually pointed us to some optimizations we were able to make with respect to our NodeJS containers!