Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: improve message output sbom with gh #145

Merged
merged 2 commits into from Aug 2, 2022

Conversation

krol3
Copy link
Collaborator

@krol3 krol3 commented Jul 19, 2022

  • Improve the output with sbom and gh to show error in case of missing the github-pat.

Screen Shot 2022-07-19 at 17 10 05

@krol3 krol3 requested a review from simar7 Jul 19, 2022
"text": "Vulnerability CVE-2016-5385\nSeverity: HIGH\nPackage: guzzlehttp/guzzle\nFixed Version: 5.3.1, 6.2.1, 4.2.4\nLink: [CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)\nPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue.",
"markdown": "**Vulnerability CVE-2016-5385**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|guzzlehttp/guzzle|5.3.1, 6.2.1, 4.2.4|[CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)|\n\nPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue."
"text": "Vulnerability CVE-2016-5385\nSeverity: HIGH\nPackage: guzzlehttp/guzzle\nFixed Version: 4.2.4, 5.3.1, 6.2.1\nLink: [CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)\nPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue.",
"markdown": "**Vulnerability CVE-2016-5385**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|guzzlehttp/guzzle|4.2.4, 5.3.1, 6.2.1|[CVE-2016-5385](https://avd.aquasec.com/nvd/cve-2016-5385)|\n\nPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue."
Copy link
Member

@simar7 simar7 Jul 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to find a better solution here. SARIF outputs (and JSON based outputs in general) have no ordering and as a result keep changing over time, resulting in unnecessary test failures.

Could you look into maybe changing the test target to not be something with lots of vulnerabilities (like what we have today with knqyf263/vuln-image:1.2.3) but rather something that does not have a lot (or any vulnerabilities)? Could be a small repo/fs golden test directory we could test against.

In this we don't actually care for what is in the output (content/vulnerabilities), but rather we care about the structure of the output (SARIF test should produce a SARIF, etc.)

Copy link
Member

@simar7 simar7 Jul 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One idea I have for this is to use images that are no longer actively supported in terms of security updates, like alpine:3.10. They aren't failsafe in terms of the above problem but are an easier target to move to rather than creating the golden artifacts from scratch.

Copy link
Collaborator Author

@krol3 krol3 Jul 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simar7 done!

@krol3 krol3 requested a review from simar7 Jul 27, 2022
entrypoint.sh Outdated
trivyConfig=$(echo $trivyConfig | tr -d '\r')
if [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} $ARGS ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
returnCode=$?
fi
Copy link
Member

@simar7 simar7 Jul 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what happened here but this wasn't rebased correctly. See current master branch for details. https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh#L167

@krol3 krol3 requested a review from simar7 Jul 30, 2022
simar7
simar7 approved these changes Aug 2, 2022
@simar7 simar7 merged commit 0d7cf2d into aquasecurity:master Aug 2, 2022
2 checks passed
@krol3 krol3 deleted the sbom-gh branch Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants