search

aws-actions / vulnerability-scan-github-action-for-amazon-inspector

Scan artifacts with Amazon Inspector from GitHub Actions workflows.
https://docs.aws.amazon.com/inspector/
MIT License
20 stars 5 forks source link

Summary table missing useful data for detected vulnerabilities #68

Closed snooyen closed 1 month ago

snooyen commented 1 month ago

Description

Our CI/CD pipeline is configured to block if any critical vulnerabilities are detected in the container. The GHA Job Summary for one of our containers reported a critical vulnerability, but this vulnerability was not clearly represented in the table.

Expected Behavior

Expect the Summary markdown to not be missing data in Severity column.

Actual Behavior

In the below Summary generated by the action, the vulnerability with id: IN-DISCONTINUED-001 is a critical vulnerability but its severity is not reflected properly in the summary even though it is traceable in the vulnerability scan JSON

Amazon Inspector Scan Results

Artifact Name: my-image:latest

Artifact Type: container

Vulnerability Counts by Severity

Severity Count
Critical 1
High 4
Medium 4
Low 0
Other 0

Vulnerability Findings

ID Severity CVSS Installed Package (PURL) Fixed Package Path EPSS Exploit Available Exploit Last Seen CWEs
CVE-2022-41919 high 8.8 pkg:npm/fastify@3.29.0 3.29.4 /usr/src/app/targets/server/node_modules/@nestjs/platform-fastify/node_modules/fastify/package.json 0.00129 CWE-352
CVE-2023-45857 medium 6.5 pkg:npm/axios@0.27.2 0.28.0 /usr/src/app/targets/server/node_modules/axios/package.json 0.00055 true 2024-07-07T07:44:56Z CWE-352
CVE-2023-26159 medium 6.1 pkg:npm/follow-redirects@1.15.3 1.15.4 /usr/src/app/targets/server/node_modules/follow-redirects/package.json 0.00051 true 2024-07-09T08:37:12Z CWE-601

CWE-20
CVE-2023-26108 medium 5.3 pkg:npm/@nestjs/core@8.4.7 9.0.5 /usr/src/app/targets/server/node_modules/@nestjs/core/package.json 0.00075 true 2023-12-15T04:28:10Z CWE-200
CVE-2024-4068 pkg:npm/braces@3.0.2 3.0.3 /usr/src/app/targets/server/node_modules/braces/package.json 0.00045 CWE-400

CWE-1050
CVE-2024-28176 pkg:npm/jose@4.15.4 4.15.5 /usr/src/app/targets/server/node_modules/jose/package.json 0.00044 CWE-400
CVE-2024-4067 pkg:npm/micromatch@4.0.5 4.0.6 /usr/src/app/targets/server/node_modules/micromatch/package.json 0.00045 true 2024-07-08T18:32:38Z CWE-1333
CVE-2024-28849 pkg:npm/follow-redirects@1.15.3 1.15.6 /usr/src/app/targets/server/node_modules/follow-redirects/package.json 0.00044 CWE-200
IN-DISCONTINUED-001 null null CWE-1104

Steps to Reproduce

See JSON snippet pasted in Other Information

Other Information

Scan JSON Snippet:

{
    "sbom": {
        "specVersion": "1.5",
        "metadata": {
            "tools": {
                "services": [
                    {
                        "name": "Amazon Inspector Scan SBOM API",
                        "version": "682333b1+07d068a7+195e9245"
                    }
                ]
            },
            "properties": [
                {
                    "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
                    "value": "1"
                },
                {
                    "name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
                    "value": "4"
                },
                {
                    "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
                    "value": "4"
                },
                {
                    "name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
                    "value": "0"
                },
                {
                    "name": "amazon:inspector:sbom_scanner:other_vulnerabilities",
                    "value": "0"
                }
            ],
            "timestamp": "2024-07-12T19:44:19.368Z"
        },
        "components": [
            {
                "bom-ref": "comp-1",
                "name": "Alpine Linux",
                "type": "operating-system",
                "version": "3.15.11",
                "properties": [
                    {
                        "name": "amazon:inspector:sbom_scanner:end_of_life",
                        "value": "2023-11-01T00:00:00Z"
                    }
                ]
            },
. . . 
        ]
        "serialNumber": "urn:uuid:a31a2cb1-62bf-4131-95e0-56df058d8589",
        "bomFormat": "CycloneDX",
        "vulnerabilities": [
. . .
            {
                "advisories": [
                    {
                        "url": "https://docs.aws.amazon.com/inspector/latest/user/supported.html"
                    }
                ],
                "bom-ref": "vuln-8",
                "ratings": [
                    {
                        "severity": "critical",
                        "method": "other",
                        "source": {
                            "name": "AMAZON_INSPECTOR",
                            "url": "https://aws.amazon.com/inspector/"
                        }
                    }
                ],
                "created": "2024-04-08T15:09:42Z",
                "description": "Discontinued Operating System: This resource relies on an operating system that was discontinued and is no longer actively supported or maintained by the original developer or a trusted proxy for the original developer. Amazon Inspector previously provided full support for this operating system and will continue to scan impacted resources. However, any findings Amazon Inspector generates for a discontinued operating system are for informational purposes only.",
                "affects": [
                    {
                        "ref": "comp-1"
                    }
                ],
                "id": "IN-DISCONTINUED-001",
                "source": {
                    "name": "AMAZON_INSPECTOR",
                    "url": "https://aws.amazon.com/inspector/"
                },
                "cwes": [
                    1104
                ],
                "analysis": {
                    "state": "in_triage"
                },
                "updated": "2024-04-08T15:09:42Z"
            },                            
. . . 
        ]
. . .
bluesentinelsec commented 1 month ago

Hello, we are confirming receipt of your ticket. We will begin triaging the issue, and will report back when we have pertinent updates.

bluesentinelsec commented 1 month ago

@snooyen currently the GitHub Action summary report only supports vulnerability severity values provided by National Vulnerability Database (NVD). As you stated, vulnerability severity for other providers is not displayed. We are are planning on supporting severity values from other providers in the near future.

This issue will likely be idle/on hold through this week, but I will report back when we start the work, and I will offer an ETA when we have confidence in the solution.

Thank you for your continued patience.

bluesentinelsec commented 1 month ago

@snooyen Quick update, work has started for on-boarding vulnerability severity values from providers in addition to NVD. We do not have a firm ETA now; however, we will provide one when we are confident in the solution. Thank you for your continued patience.

bluesentinelsec commented 1 month ago

@snooyen Minor update: we've finished testing and reviewing our initial solution. During our review, we identified some edge cases that require additional code changes before we can make this fix available to customers. We are currently working on those changes, after which point, we should have an ETA as to when this issue will be resolved. We thank you for your continued patience and understanding as we work on resolving your issue.

bluesentinelsec commented 1 month ago

@snooyen We have deployed a new version of this action to resolve your issue. We have verified that severity values for discontinued OS's are properly reported, among other enhancements. You can see an example of these changes here: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/10161985201

Please update your workflows to use this release to resolve this issue:

 - name: Vulnerability Scan GitHub Action for Amazon Inspector
   uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
bluesentinelsec commented 1 month ago

Thank you once again for raising this issue. This helps improve the action for all users, for which we are grateful.

I am marking this issue as resolved. Please feel free to reach out to us again if you have follow-on questions or concerns.