search

aws-actions / vulnerability-scan-github-action-for-amazon-inspector

Scan artifacts with Amazon Inspector from GitHub Actions workflows.
https://docs.aws.amazon.com/inspector/
MIT License
22 stars 5 forks source link

bug: unable to trace source of `critical` vulnerability #82

Closed snooyen closed 2 weeks ago

snooyen commented 3 weeks ago

Description

The scan action is reporting a critical vulnerability, but we are unable to identify which vulnerability received a critical rating through either the MarkDown summary or the uploaded scan results (JSON format).

Expected Behavior

If the scanning tool reports critical vulnerabilities found, we'd expect to be able to identify which the critical vulnerability and resolve it to the relevant component.

Actual Behavior

MarkDown Summary:

# Amazon Inspector Scan Results
Artifact Name: <REDACTED>

Artifact Type: container

## Vulnerability Counts by Severity

| Severity | Count |
|----------|-------|
| Critical | 1|
| High     | 3|
| Medium   | 4|
| Low      | 0|
| Other    | 0|

## Vulnerability Findings

| ID | Severity | Source | [CVSS](https://www.first.org/cvss/) | Installed Package ([PURL](https://github.com/package-url/purl-spec/tree/master?tab=readme-ov-file#purl)) | Fixed Package | Path | [EPSS](https://www.first.org/epss/) | Exploit Available | Exploit Last Seen | CWEs |
| ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- |
| CVE-2022-23539 | high | NVD | 8.1 | `pkg:npm/jsonwebtoken@8.5.1` | `9.0.0` | `/usr/app/server/node_modules/jsonwebtoken/package.json` | 0.001 |  |  | `CWE-327` |
| CVE-2022-23540 | high | NVD | 7.6 | `pkg:npm/jsonwebtoken@8.5.1` | `9.0.0` | `/usr/app/server/node_modules/jsonwebtoken/package.json` | 0.00088 | true | 2024-08-03T14:21:33Z | `CWE-347`<br><br>`CWE-287` |
| CVE-2023-45857 | medium | NVD | 6.5 | `pkg:npm/axios@0.27.2`<br><br>`pkg:npm/axios@0.21.4` | `0.28.0` | `/usr/app/server/node_modules/auth0/node_modules/axios/package.json`<br><br>`/usr/app/server/node_modules/jwks-rsa/node_modules/axios/package.json` | 0.00055 | true | 2024-08-19T03:24:46Z | `CWE-352` |
| CVE-2024-28849 | medium | MITRE | 6.5 | `pkg:npm/follow-redirects@1.15.5` | `1.15.6` | `/usr/app/server/node_modules/follow-redirects/package.json` | 0.00044 |  |  | `CWE-200` |
| CVE-2022-23541 | medium | NVD | 6.3 | `pkg:npm/jsonwebtoken@8.5.1` | `9.0.0` | `/usr/app/server/node_modules/jsonwebtoken/package.json` | 0.00091 |  |  | `CWE-1259`<br><br>`CWE-287` |
| CVE-2024-28176 | medium | MITRE | 4.9 | `pkg:npm/jose@4.15.4` | `4.15.5` | `/usr/app/server/node_modules/jose/package.json` | 0.00044 |  |  | `CWE-400` |
| CVE-2024-39338 | untriaged | NVD |  | `pkg:npm/axios@1.6.7` | `1.7.4` | `/usr/app/server/node_modules/axios/package.json` | 0.00043 |  |  | `CWE-918` |
| CVE-2024-41818 | untriaged | NVD |  | `pkg:npm/fast-xml-parser@4.2.5` | `4.4.1` | `/usr/app/server/node_modules/fast-xml-parser/package.json` | 0.00045 |  |  |  |

Steps to Reproduce

Run Inputs:

Run aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
  with:
    artifact_type: container
    artifact_path: <REDACTED>
    display_vulnerability_findings: enabled
    critical_threshold: 1
    high_threshold: 0
    medium_threshold: 0
    low_threshold: 0
    other_threshold: 0
    output_sbom_path: ./sbom_1079608527.json
    output_inspector_scan_path: inspector_scan_10479608527.json
    output_inspector_scan_path_csv: inspector_scan_1047960827.csv
    output_inspector_scan_path_markdown: inspector_scan_1047908527.md
    output_inspector_dockerfile_scan_path_csv: inspector_dockerfile_scan_1049608527.csv
    output_inspector_dockerfile_scan_path_markdown: inspector_dockerfile_scan_1047960527.md
    sbomgen_version: latest
    scanners: ''
    skip_scanners: ''
    skip_files: ''
    timeout: 600
  env:
    AWS_DEFAULT_REGION: <REDACTED>
    AWS_REGION: <REDACTED>
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***

We cannot provide you with our container image, but you can refer to the included scan MarkDown summary or attached scan result JSON file (components list removed).

inspector_scan_10479608527.json

bluesentinelsec commented 3 weeks ago

Hello, thank you for reaching out. We are confirming receipt of your issue. We will begin investigating and will report back after we've triaged the issue.

bluesentinelsec commented 3 weeks ago

@snooyen may I ask you to send us the complete inspector_scan.json file? I would like to trace the file in detail to see where the critical is coming from.

You can email it to us at inspector-opensource@amazon.com or you can cut a ticket through AWS if you have a support plan: https://aws.amazon.com/contact-us/

snooyen commented 3 weeks ago

@bluesentinelsec I've sent you the complete scan JSON to inspector-opensource@amazon.com! Thanks!

bluesentinelsec commented 3 weeks ago

@snooyen we have identified the issue and we are working on a fix. We will notify you when a fix is available.

bluesentinelsec commented 2 weeks ago

@snooyen our fix has been implemented within the Amazon Inspector service. The issue should resolve on your end without you needing to do anything. Can you please confirm whether your issue is resolved?

bluesentinelsec commented 2 weeks ago

I'm going to mark this issue as resolved. Please re-open the issue if your problem is not resolved to your satisfaction.