GitHub Action - analysis fails after sarif upload

[mgmgwi]

Description

I'm scanning a docker image and want to upload the result via the github/codeql-action/upload-sarif@v1 action.

name: Trivy Analysis

on:
  push:

jobs:
  trivy_analysis:
    name: Trivy Analysis
    runs-on: "ubuntu-18.04"
    steps:
      - name: Run Trivy on python:3.6-slim-buster
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'python:3.6-slim-buster'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-slim-buster.sarif'
          severity: 'CRITICAL,HIGH'

      # Upload works fine, but analysis fails
      - name: Upload Trivy slim-buster scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-slim-buster.sarif'

What did you expect to happen?

sarif file gets analyzed correctly.

What happened instead?

The error 'Analysis failed for trivy-workflow' is shown on the Code scanning alerts tab.

Output of run with -debug:

not available

Output of trivy -v:

Run aquasecurity/trivy-action@master
  with:
    image-ref: python:3.6-slim-buster
    format: template
    template: @/contrib/sarif.tpl
    output: trivy-slim-buster.sarif
    severity: CRITICAL,HIGH
    scan-type: image
    scan-ref: .
    exit-code: 0
    ignore-unfixed: false
    vuln-type: os,library
/usr/bin/docker run --name a33c1b243f0bb5ad54f939442448bb6a70f7e_e14d32 --label 8a33c1 --workdir /github/workspace --rm -e INPUT_IMAGE-REF -e INPUT_FORMAT -e INPUT_TEMPLATE -e INPUT_OUTPUT -e INPUT_SEVERITY -e INPUT_SCAN-TYPE -e INPUT_INPUT -e INPUT_SCAN-REF -e INPUT_EXIT-CODE -e INPUT_IGNORE-UNFIXED -e INPUT_VULN-TYPE -e INPUT_SKIP-DIRS -e INPUT_CACHE-DIR -e INPUT_TIMEOUT -e INPUT_IGNORE-POLICY -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/indy-node-container/indy-node-container":"/github/workspace" 8a33c1:b243f0bb5ad54f939442448bb6a70f7e  "-a image" "-b template" "-c @/contrib/sarif.tpl" "-d 0" "-e false" "-f os,library" "-g CRITICAL,HIGH" "-h trivy-slim-buster.sarif" "-i python:3.6-slim-buster" "-j ." "-k " "-l " "-m " "-n " "-o "
Running trivy with options:  --no-progress  --format  template --template  @/contrib/sarif.tpl --exit-code  0 --vuln-type  os,library --severity  CRITICAL,HIGH --output  trivy-slim-buster.sarif  python:3.6-slim-buster
Global options:  
2021-06-02T06:51:17.428Z	INFO	Need to update DB
2021-06-02T06:51:17.429Z	INFO	Downloading DB...
2021-06-02T06:51:20.595Z	INFO	Detecting Debian vulnerabilities...
2021-06-02T06:51:20.605Z	INFO	Trivy skips scanning programming language libraries because no supported file was detected

Additional details (base image name, container registry info...):

Uploading the result file to the Microsoft SARIF validator shows these problems:

• GH1003: runs[0].results[0].locations[0].physicalLocation: The 'region' property is absent. GitHub Advanced Security code scanning can display the correct location only for results that provide a 'region' object with line and optional column information. At minimum, 'region.startLine' is required. 'region' can also provide 'startColumn', 'endLine', and 'endColumn', although all of those have reasonable defaults.
• GH1005: runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri: 'python:3.6-slim-buster' is not a file path. GitHub Advanced Security code scanning only displays results whose locations are specified by file paths, either as relative URIs or as absolute URIs that use the 'file' scheme.
• SARIF1004: runs[0].results[0].locations[0].physicalLocation.artifactLocation: This 'artifactLocation' object has a 'uriBaseId' property 'ROOTPATH', but its 'uri' property 'python:3.6-slim-buster' is an absolute URI. Since the purpose of 'uriBaseId' is to resolve a relative reference to an absolute URI, it is not allowed when the 'uri' property is already an absolute URI.
• SARIF2012: runs[0].tool.driver.rules[0].name: 'OS Package Vulnerability (Debian)' is not a Pascal-case identifier. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'.

I don't know whether these problems are the cause of the error, but maybe they can be fixed by adjusting this block

trivy/contrib/sarif.tpl

Lines 76 to 80 in fb19abd

	"physicalLocation": {
	"artifactLocation": {
	"uri": "{{ toPathUri $filePath }}",
	"uriBaseId": "ROOTPATH"
	}

if a Docker image is scanned.

[rahul2393]

Hello @mgmgwi I have created a test public repo https://github.com/rahul2393/trivy-workflow, I am trying to replicate the error, can you help me upload step work fine.

[mgmgwi]

Did you enable Code scanning in the repo settings (in Security & analysis)? There should be entries in https://github.com/rahul2393/trivy-workflow/security (Code scanning alerts) if the analysis worked.

[mgmgwi]

One more note: they recently updated python:3.6-slim-buster to Debian 10.10 so maybe it got "fixed" that way.

[rahul2393]

I am trying to setup, but not able to set it, do you have access to setup?

[rahul2393]

Can you also check if putting this template on your root directory
https://github.com/rahul2393/trivy-ci-test/blob/sarif_test/sarif_test.tpl
and using the above template in your action like this
https://github.com/rahul2393/trivy-ci-test/blob/sarif_test/.github/workflows/scan.yml#L16
instead of '@/contrib/sarif.tpl' makes any difference?

[mgmgwi]

I am trying to setup, but not able to set it, do you have access to setup?

Hmm, there might be a problem with GitHub right now. I tried setting it up on a fork but it doesn't work. So we may need to wait for GitHub until they fix their code scanning.

[rahul2393]

Ok thanks for the quick checking, can you also check the above sarif_test.tpl, I run on validator the output from above is passing, let me know if you still face error with above template.

[mgmgwi]

I tried the new template, you can see the result file here: https://github.com/mgmgwi/trivy-workflow/actions/runs/982158248

The SARIF Validator complains about

• GH1001: Each result location must provide the property 'physicalLocation.artifactLocation.uri'. GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.
• SARIF2012: Rule metadata should provide information that makes it easy to understand and fix the problem. Provide the 'name' property, which contains a "friendly name" that helps users see at a glance the purpose of the rule. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'. Provide the 'helpUri' property, which contains a URI where users can find detailed information about the rule. This information should include a detailed description of the invalid pattern, an explanation of why the pattern is poor practice (particularly in contexts such as security or accessibility where driving considerations might not be readily apparent), guidance for resolving the problem (including describing circumstances in which ignoring the problem altogether might be appropriate), examples of invalid and valid patterns, and special considerations (such as noting when a violation should never be ignored or suppressed, noting when a violation could cause downstream tool noise, and noting when a rule can be configured in some way to refine or alter the analysis).

But I don't think that these would cause the code analysis to fail.

[eddynaka]

Hello,

just a quick introduction we are working closely with GH helping tools to integrate with GH Actions.
I, Yong and Shaopeng work in the SARIF ecosystem and we can help with those issues.

Looking at this, the issues are related to the GH rules.
Those are required to GitHub to be able to process a SARIF file.

@yongyan-gh @shaopeng-gh, can you check if we can improve the sarif file?

[yongyan-gh]

The artifactLocation Uri value comes from .Target fields of Result struct.
According to #935 (comment)

Depending on what's being scanned, .Target will vary. In the case of a programming library vulnerabilities, it will be a lock file (e.g. node-app/package-lock.json, etc.). In the case of OS package vulnerability, it will be the distro:version (e.g. alpine:3.11) and finally in the case of a tarball scan, it will what you described above.

From .sarif file we can see the vulnerability is OS package vulnerability:

              "name": "OS Package Vulnerability (Debian)",
              "shortDescription": {
                "text": "CVE-2011-3374 Package: apt"
              },

Can you pls suggest what the right file Uri we should use in this case? @simar7

[simar7]

The artifactLocation Uri value comes from .Target fields of Result struct.
According to #935 (comment)

Depending on what's being scanned, .Target will vary. In the case of a programming library vulnerabilities, it will be a lock file (e.g. node-app/package-lock.json, etc.). In the case of OS package vulnerability, it will be the distro:version (e.g. alpine:3.11) and finally in the case of a tarball scan, it will what you described above.

From .sarif file we can see the vulnerability is OS package vulnerability:

              "name": "OS Package Vulnerability (Debian)",
              "shortDescription": {
                "text": "CVE-2011-3374 Package: apt"
              },

Can you pls suggest what the right file Uri we should use in this case? @simar7

It looks like a vulnerability in apt so the Uri should point to the apt binary IMO.

[eddynaka]

Hi @simar7 , the issue that we are seeing here is:

1. what did trivy analyzed to generate the sarif? (probably a dockerfile, other files)
2. if its a dockerfile, the dockerfile should be the Uri, because this is the place where we have the issue, right? At least, that's the place where the developer must change to fix it.

Today, per my understanding, we are pointing to a place that isn't a file in the repository/files that you analyzed...which is generating the issue above.

[simar7]

Roger that. @rahul2393 - could you have another look at it?

[eddynaka]

HI @simar7 , let us know if we can help with this bugfix, ok?
Thank you

[tricky42]

I am trying to get Trivy (and Dockle) to work with Github Code Scanning. Sadly the results are not processed on Github side and I cant find any more details in the GitHub UI.

You can find the Github Action Workflow here: https://github.com/tricky42/kratos/blob/5775b9027eee48f4bb94953c067043456604a92c/.github/workflows/scan.yml#L39

Github UI shows the following error:

I am using the customized template to include the locations as mentioned above: https://github.com/tricky42/kratos/blob/master/.github/trivy/sarif.tpl

This is the content of the created trivy-results.sarif file:

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Trivy",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "fullName": "Trivy Vulnerability Scanner",
          "version": "0.15.0",
          "rules": [
            {
              "id": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): apk-tools-2.10.6-r0 CVE-2021-36159",
              "name": "OS Package Vulnerability (Alpine)",
              "shortDescription": {
                "text": "CVE-2021-36159 Package: apk-tools"
              },
              "fullDescription": {
                "text": "."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-36159",
              "help": {
                "text": "Vulnerability CVE-2021-36159\nSeverity: CRITICAL\nPackage: apk-tools\nInstalled Version: 2.10.6-r0\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)",
                "markdown": "**Vulnerability CVE-2021-36159**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|CRITICAL|apk-tools|2.10.6-r0|2.10.7-r0|[CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)|\n"
              },
              "properties": {
                "tags": [
                  "vulnerability",
                  "CRITICAL",
                  "apk-tools"
                ],
                "precision": "very-high"
              }
            },
            {
              "id": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libcrypto1.1-1.1.1k-r0 CVE-2021-3711",
              "name": "OS Package Vulnerability (Alpine)",
              "shortDescription": {
                "text": "CVE-2021-3711 Package: libcrypto1.1"
              },
              "fullDescription": {
                "text": "openssl: SM2 Decryption Buffer Overflow."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-3711",
              "help": {
                "text": "Vulnerability CVE-2021-3711\nSeverity: CRITICAL\nPackage: libcrypto1.1\nInstalled Version: 1.1.1k-r0\nFixed Version: 1.1.1l-r0\nLink: [CVE-2021-3711](https://avd.aquasec.com/nvd/cve-2021-3711)",
                "markdown": "**Vulnerability CVE-2021-3711**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|CRITICAL|libcrypto1.1|1.1.1k-r0|1.1.1l-r0|[CVE-2021-3711](https://avd.aquasec.com/nvd/cve-2021-3711)|\n"
              },
              "properties": {
                "tags": [
                  "vulnerability",
                  "CRITICAL",
                  "libcrypto1.1"
                ],
                "precision": "very-high"
              }
            },
            {
              "id": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libcrypto1.1-1.1.1k-r0 CVE-2021-3712",
              "name": "OS Package Vulnerability (Alpine)",
              "shortDescription": {
                "text": "CVE-2021-3712 Package: libcrypto1.1"
              },
              "fullDescription": {
                "text": "openssl: Read buffer overruns processing ASN.1 strings."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-3712",
              "help": {
                "text": "Vulnerability CVE-2021-3712\nSeverity: HIGH\nPackage: libcrypto1.1\nInstalled Version: 1.1.1k-r0\nFixed Version: 1.1.1l-r0\nLink: [CVE-2021-3712](https://avd.aquasec.com/nvd/cve-2021-3712)",
                "markdown": "**Vulnerability CVE-2021-3712**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|HIGH|libcrypto1.1|1.1.1k-r0|1.1.1l-r0|[CVE-2021-3712](https://avd.aquasec.com/nvd/cve-2021-3712)|\n"
              },
              "properties": {
                "tags": [
                  "vulnerability",
                  "HIGH",
                  "libcrypto1.1"
                ],
                "precision": "very-high"
              }
            },
            {
              "id": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libssl1.1-1.1.1k-r0 CVE-2021-3711",
              "name": "OS Package Vulnerability (Alpine)",
              "shortDescription": {
                "text": "CVE-2021-3711 Package: libssl1.1"
              },
              "fullDescription": {
                "text": "openssl: SM2 Decryption Buffer Overflow."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-3711",
              "help": {
                "text": "Vulnerability CVE-2021-3711\nSeverity: CRITICAL\nPackage: libssl1.1\nInstalled Version: 1.1.1k-r0\nFixed Version: 1.1.1l-r0\nLink: [CVE-2021-3711](https://avd.aquasec.com/nvd/cve-2021-3711)",
                "markdown": "**Vulnerability CVE-2021-3711**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|CRITICAL|libssl1.1|1.1.1k-r0|1.1.1l-r0|[CVE-2021-3711](https://avd.aquasec.com/nvd/cve-2021-3711)|\n"
              },
              "properties": {
                "tags": [
                  "vulnerability",
                  "CRITICAL",
                  "libssl1.1"
                ],
                "precision": "very-high"
              }
            },
            {
              "id": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libssl1.1-1.1.1k-r0 CVE-2021-3712",
              "name": "OS Package Vulnerability (Alpine)",
              "shortDescription": {
                "text": "CVE-2021-3712 Package: libssl1.1"
              },
              "fullDescription": {
                "text": "openssl: Read buffer overruns processing ASN.1 strings."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-3712",
              "help": {
                "text": "Vulnerability CVE-2021-3712\nSeverity: HIGH\nPackage: libssl1.1\nInstalled Version: 1.1.1k-r0\nFixed Version: 1.1.1l-r0\nLink: [CVE-2021-3712](https://avd.aquasec.com/nvd/cve-2021-3712)",
                "markdown": "**Vulnerability CVE-2021-3712**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|HIGH|libssl1.1|1.1.1k-r0|1.1.1l-r0|[CVE-2021-3712](https://avd.aquasec.com/nvd/cve-2021-3712)|\n"
              },
              "properties": {
                "tags": [
                  "vulnerability",
                  "HIGH",
                  "libssl1.1"
                ],
                "precision": "very-high"
              }
            }]
        }
      },
      "results": [
        {
          "ruleId": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): apk-tools-2.10.6-r0 CVE-2021-36159",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "text": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late."
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c",
                "uriBaseId": "ROOTPATH"
              }
            }
          }]
        },
        {
          "ruleId": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libcrypto1.1-1.1.1k-r0 CVE-2021-3711",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k)."
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c",
                "uriBaseId": "ROOTPATH"
              }
            }
          }]
        },
        {
          "ruleId": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libcrypto1.1-1.1.1k-r0 CVE-2021-3712",
          "ruleIndex": 2,
          "level": "error",
          "message": {
            "text": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y)."
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c",
                "uriBaseId": "ROOTPATH"
              }
            }
          }]
        },
        {
          "ruleId": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libssl1.1-1.1.1k-r0 CVE-2021-3711",
          "ruleIndex": 3,
          "level": "error",
          "message": {
            "text": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k)."
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c",
                "uriBaseId": "ROOTPATH"
              }
            }
          }]
        },
        {
          "ruleId": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libssl1.1-1.1.1k-r0 CVE-2021-3712",
          "ruleIndex": 4,
          "level": "error",
          "message": {
            "text": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y)."
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c",
                "uriBaseId": "ROOTPATH"
              }
            }
          }]
        }],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "/"
        }
      }
    }
  ]
}

And this is the report from the SARIF Validator when validating the file above:

{
 "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
 "version": "2.1.0",
 "runs": [
  {
   "results": [
    {
     "ruleId": "GH1003",
     "ruleIndex": 0,
     "level": "error",
     "message": {
      "id": "Error_MissingRegion",
      "arguments": [
       "runs[0].results[0].locations[0].physicalLocation"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 154,
         "startColumn": 33
        }
       }
      }
     ]
    },
    {
     "ruleId": "GH1003",
     "ruleIndex": 0,
     "level": "error",
     "message": {
      "id": "Error_MissingRegion",
      "arguments": [
       "runs[0].results[1].locations[0].physicalLocation"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 170,
         "startColumn": 33
        }
       }
      }
     ]
    },
    {
     "ruleId": "GH1003",
     "ruleIndex": 0,
     "level": "error",
     "message": {
      "id": "Error_MissingRegion",
      "arguments": [
       "runs[0].results[2].locations[0].physicalLocation"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 186,
         "startColumn": 33
        }
       }
      }
     ]
    },
    {
     "ruleId": "GH1003",
     "ruleIndex": 0,
     "level": "error",
     "message": {
      "id": "Error_MissingRegion",
      "arguments": [
       "runs[0].results[3].locations[0].physicalLocation"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 202,
         "startColumn": 33
        }
       }
      }
     ]
    },
    {
     "ruleId": "GH1003",
     "ruleIndex": 0,
     "level": "error",
     "message": {
      "id": "Error_MissingRegion",
      "arguments": [
       "runs[0].results[4].locations[0].physicalLocation"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 218,
         "startColumn": 33
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF1004",
     "ruleIndex": 1,
     "level": "error",
     "message": {
      "id": "Error_TopLevelUriBaseIdMustBeAbsolute",
      "arguments": [
       "runs[0].originalUriBaseIds.ROOTPATH",
       "ROOTPATH",
       "/"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 228,
         "startColumn": 21
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF1004",
     "ruleIndex": 1,
     "level": "error",
     "message": {
      "id": "Error_RelativeReferenceMustNotBeginWithSlash",
      "arguments": [
       "runs[0].originalUriBaseIds.ROOTPATH.uri",
       "/"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 229,
         "startColumn": 20
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2002",
     "ruleIndex": 2,
     "level": "note",
     "message": {
      "id": "Note_Default",
      "arguments": [
       "runs[0].results[0].message"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 150,
         "startColumn": 22
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2002",
     "ruleIndex": 2,
     "level": "note",
     "message": {
      "id": "Note_Default",
      "arguments": [
       "runs[0].results[1].message"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 166,
         "startColumn": 22
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2002",
     "ruleIndex": 2,
     "level": "note",
     "message": {
      "id": "Note_Default",
      "arguments": [
       "runs[0].results[2].message"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 182,
         "startColumn": 22
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2002",
     "ruleIndex": 2,
     "level": "note",
     "message": {
      "id": "Note_Default",
      "arguments": [
       "runs[0].results[3].message"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 198,
         "startColumn": 22
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2002",
     "ruleIndex": 2,
     "level": "note",
     "message": {
      "id": "Note_Default",
      "arguments": [
       "runs[0].results[4].message"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 214,
         "startColumn": 22
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2003",
     "ruleIndex": 3,
     "level": "note",
     "message": {
      "id": "Note_Default",
      "arguments": [
       "runs[0]"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 5,
         "startColumn": 5
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2009",
     "ruleIndex": 4,
     "level": "note",
     "message": {
      "id": "Note_UseConventionalRuleIds",
      "arguments": [
       "runs[0].tool.driver.rules[0].id",
       "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): apk-tools-2.10.6-r0 CVE-2021-36159"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 14,
         "startColumn": 126
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2009",
     "ruleIndex": 4,
     "level": "note",
     "message": {
      "id": "Note_UseConventionalRuleIds",
      "arguments": [
       "runs[0].tool.driver.rules[1].id",
       "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libcrypto1.1-1.1.1k-r0 CVE-2021-3711"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 40,
         "startColumn": 128
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2009",
     "ruleIndex": 4,
     "level": "note",
     "message": {
      "id": "Note_UseConventionalRuleIds",
      "arguments": [
       "runs[0].tool.driver.rules[2].id",
       "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libcrypto1.1-1.1.1k-r0 CVE-2021-3712"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 66,
         "startColumn": 128
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2009",
     "ruleIndex": 4,
     "level": "note",
     "message": {
      "id": "Note_UseConventionalRuleIds",
      "arguments": [
       "runs[0].tool.driver.rules[3].id",
       "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libssl1.1-1.1.1k-r0 CVE-2021-3711"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 92,
         "startColumn": 125
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2009",
     "ruleIndex": 4,
     "level": "note",
     "message": {
      "id": "Note_UseConventionalRuleIds",
      "arguments": [
       "runs[0].tool.driver.rules[4].id",
       "oryd/kratos:5775b9027eee48f4bb94953c067043456604a92c (alpine 3.12.7): libssl1.1-1.1.1k-r0 CVE-2021-3712"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 118,
         "startColumn": 125
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2012",
     "ruleIndex": 5,
     "level": "warning",
     "message": {
      "id": "Note_FriendlyNameNotAPascalIdentifier",
      "arguments": [
       "runs[0].tool.driver.rules[0].name",
       "OS Package Vulnerability (Alpine)"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 15,
         "startColumn": 57
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2012",
     "ruleIndex": 5,
     "level": "warning",
     "message": {
      "id": "Note_FriendlyNameNotAPascalIdentifier",
      "arguments": [
       "runs[0].tool.driver.rules[1].name",
       "OS Package Vulnerability (Alpine)"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 41,
         "startColumn": 57
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2012",
     "ruleIndex": 5,
     "level": "warning",
     "message": {
      "id": "Note_FriendlyNameNotAPascalIdentifier",
      "arguments": [
       "runs[0].tool.driver.rules[2].name",
       "OS Package Vulnerability (Alpine)"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 67,
         "startColumn": 57
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2012",
     "ruleIndex": 5,
     "level": "warning",
     "message": {
      "id": "Note_FriendlyNameNotAPascalIdentifier",
      "arguments": [
       "runs[0].tool.driver.rules[3].name",
       "OS Package Vulnerability (Alpine)"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 93,
         "startColumn": 57
        }
       }
      }
     ]
    },
    {
     "ruleId": "SARIF2012",
     "ruleIndex": 5,
     "level": "warning",
     "message": {
      "id": "Note_FriendlyNameNotAPascalIdentifier",
      "arguments": [
       "runs[0].tool.driver.rules[4].name",
       "OS Package Vulnerability (Alpine)"
      ]
     },
     "locations": [
      {
       "physicalLocation": {
        "artifactLocation": {
         "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif",
         "index": 0
        },
        "region": {
         "startLine": 119,
         "startColumn": 57
        }
       }
      }
     ]
    }
   ],
   "tool": {
    "driver": {
     "name": "SarifWeb",
     "organization": "SarifWeb",
     "product": "SarifWeb",
     "fullName": "SarifWeb 1.0.0.0",
     "version": "1.0.0.0",
     "semanticVersion": "1.0.0",
     "rules": [
      {
       "id": "GH1003",
       "fullDescription": {
        "text": "Every result must provide a 'region' that specifies its location with line and optional column information. GitHub Advanced Security code scanning can display the correct location only for results that provide this information. At minimum, 'region.startLine' is required. 'region' can also provide 'startColumn', 'endLine', and 'endColumn', although all of those have reasonable defaults."
       },
       "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html",
       "messageStrings": {
        "Error_MissingRegion": {
         "text": "{0}: The 'region' property is absent. GitHub Advanced Security code scanning can display the correct location only for results that provide a 'region' object with line and optional column information. At minimum, 'region.startLine' is required. 'region' can also provide 'startColumn', 'endLine', and 'endColumn', although all of those have reasonable defaults."
        },
        "Error_MissingRegionProperty": {
         "text": "{0}: The 'startLine' property is absent. GitHub Advanced Security code scanning can display the correct location only for results that provide a 'region' object with line and optional column information. At minimum, 'region.startLine' is required. 'region' can also provide 'startColumn', 'endLine', and 'endColumn', although all of those have reasonable defaults."
        }
       },
       "name": "ProvideRequiredRegionProperties",
       "defaultConfiguration": {
        "enabled": false,
        "level": "error"
       }
      },
      {
       "id": "SARIF1004",
       "fullDescription": {
        "text": "When using the 'uriBaseId' property, obey the requirements in the SARIF specification [3.4.4](https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317431) that enable it to fulfill its purpose of resolving relative references to absolute locations. In particular: If an 'artifactLocation' object has a 'uriBaseId' property, its 'uri' property must be a relative reference, because if 'uri' is an absolute URI then 'uriBaseId' serves no purpose. Every URI reference in 'originalUriBaseIds' must resolve to an absolute URI in the manner described in the SARIF specification [3.14.14](https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317498). Finally, a relative reference in 'artifactLocation.uri' must not begin with a slash, because that prevents it from combining properly with the absolute URI specified by a 'uriBaseId'."
       },
       "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html",
       "messageStrings": {
        "Error_UriBaseIdRequiresRelativeUri": {
         "text": "{0}: This 'artifactLocation' object has a 'uriBaseId' property '{1}', but its 'uri' property '{2}' is an absolute URI. Since the purpose of 'uriBaseId' is to resolve a relative reference to an absolute URI, it is not allowed when the 'uri' property is already an absolute URI."
        },
        "Error_TopLevelUriBaseIdMustBeAbsolute": {
         "text": "{0}: The '{1}' element of 'originalUriBaseIds' has no 'uriBaseId' property, but its 'uri' property '{2}' is not an absolute URI. According to the SARIF specification, every such \"top-level\" entry in 'originalUriBaseIds' must specify an absolute URI, because the purpose of 'originalUriBaseIds' is to enable the resolution of relative references to absolute URIs."
        },
        "Error_UriBaseIdValueMustEndWithSlash": {
         "text": "{0}: The '{1}' element of 'originalUriBaseIds' has a 'uri' property '{2}' that does not end with a slash. The trailing slash is required to minimize the likelihood of an error when concatenating URI segments together."
        },
        "Error_UriBaseIdValueMustNotContainDotDotSegment": {
         "text": "{0}: The '{1}' element of 'originalUriBaseIds' has a 'uri' property '{2}' that contains a '..' segment. This is dangerous because if symbolic links are present, '..' might have different meanings on the machine that produced the log file and the machine where an end user or a tool consumes it."
        },
        "Error_UriBaseIdValueMustNotContainQueryOrFragment": {
         "text": "{0}: The '{1}' element of 'originalUriBaseIds' has a 'uri' property '{2}' that contains a query or a fragment. This is not valid because the purpose of the 'uriBaseId' property is to help resolve a relative reference to an absolute URI by concatenating the relative reference to the absolute base URI. This won't work if the base URI contains a query or a fragment."
        },
        "Error_RelativeReferenceMustNotBeginWithSlash": {
         "text": "The relative reference '{0}' begins with a slash, which will prevent it from combining properly with the absolute URI specified by a 'uriBaseId'."
        }
       },
       "name": "ExpressUriBaseIdsCorrectly",
       "defaultConfiguration": {
        "level": "error"
       }
      },
      {
       "id": "SARIF2002",
       "fullDescription": {
        "text": "In result messages, use the 'message.id' and 'message.arguments' properties rather than 'message.text'. This has several advantages. If 'text' is lengthy, using 'id' and 'arguments' makes the SARIF file smaller. If the rule metadata is stored externally to the SARIF log file, the message text can be improved (for example, by adding more text, clarifying the phrasing, or fixing typos), and the result messages will pick up the improvements the next time it is displayed. Finally, SARIF supports localizing messages into different languages, which is possible if the SARIF file contains 'message.id' and 'message.arguments', but not if it contains 'message.text' directly."
       },
       "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html",
       "messageStrings": {
        "Note_Default": {
         "text": "{0}: The 'message' property of this result contains a 'text' property. Consider replacing it with 'id' and 'arguments' properties. This potentially reduces the log file size, allows the message text to be improved without modifying the log file, and enables localization."
        }
       },
       "name": "ProvideMessageArguments",
       "defaultConfiguration": {
        "level": "note"
       }
      },
      {
       "id": "SARIF2003",
       "fullDescription": {
        "text": "Provide 'versionControlProvenance' to record which version of the code was analyzed, and to enable paths to be expressed relative to the root of the repository."
       },
       "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html",
       "messageStrings": {
        "Note_Default": {
         "text": "{0}: This run does not provide 'versionControlProvenance'. As a result, it is not possible to determine which version of code was analyzed, nor to map relative paths to their locations within the repository."
        }
       },
       "name": "ProvideVersionControlProvenance",
       "defaultConfiguration": {
        "level": "note"
       }
      },
      {
       "id": "SARIF2009",
       "fullDescription": {
        "text": "Adopt uniform naming conventions for rule ids. Many tools follow a conventional format for the 'reportingDescriptor.id' property: a short string identifying the tool concatenated with a numeric rule number, for example, 'CS2001' for a diagnostic from the Roslyn C# compiler. For uniformity of experience across tools, we recommend this format."
       },
       "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html",
       "messageStrings": {
        "Note_UseConventionalRuleIds": {
         "text": "{0}: The 'id' property of the rule '{1}' does not follow the recommended format: a short string identifying the tool concatenated with a numeric rule number, for example, 'CS2001'. Using a conventional format for the rule id provides a more uniform experience across tools."
        }
       },
       "name": "ConsiderConventionalIdentifierValues",
       "defaultConfiguration": {
        "level": "note"
       }
      },
      {
       "id": "SARIF2012",
       "fullDescription": {
        "text": "Rule metadata should provide information that makes it easy to understand and fix the problem.\r\n\r\nProvide the 'name' property, which contains a \"friendly name\" that helps users see at a glance the purpose of the rule. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'.\r\n\r\nProvide the 'helpUri' property, which contains a URI where users can find detailed information about the rule. This information should include a detailed description of the invalid pattern, an explanation of why the pattern is poor practice (particularly in contexts such as security or accessibility where driving considerations might not be readily apparent), guidance for resolving the problem (including describing circumstances in which ignoring the problem altogether might be appropriate), examples of invalid and valid patterns, and special considerations (such as noting when a violation should never be ignored or suppressed, noting when a violation could cause downstream tool noise, and noting when a rule can be configured in some way to refine or alter the analysis)."
       },
       "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html",
       "messageStrings": {
        "Note_FriendlyNameNotAPascalIdentifier": {
         "text": "{0}: '{1}' is not a Pascal-case identifier. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'."
        },
        "Note_ProvideFriendlyName": {
         "text": "{0}: The rule '{1}' does not provide a \"friendly name\" in its 'name' property. The friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName', that helps users see at a glance the purpose of the analysis rule."
        },
        "Note_ProvideHelpUri": {
         "text": "{0}: The rule '{1}' does not provide a help URI. Providing a URI where users can find detailed information about the rule helps users to understand the result and how they can best address it."
        },
        "Note_ProvideMetadataForAllViolatedRules": {
         "text": "'{0}' does not provide a 'rules' property. 'rules' contain information that helps users understand why each rule fires and what the user can do to fix it."
        },
        "Note_ProvideRuleMetadata": {
         "text": "'{0}' does not provide metadata for rule '{1}'. Rule metadata contains information that helps the user understand why each rule fires and what the user can do to fix it."
        }
       },
       "name": "ProvideRuleProperties",
       "defaultConfiguration": {
        "level": "note"
       }
      }
     ]
    }
   },
   "invocations": [
    {
     "startTimeUtc": "2021-09-04T21:19:55.139Z",
     "endTimeUtc": "2021-09-04T21:19:58.414Z",
     "executionSuccessful": true
    }
   ],
   "artifacts": [
    {
     "location": {
      "uri": "file:///D:/home/site/wwwroot/UploadedFiles/cfc6bd1c-1cb1-4cd4-917e-f3d3681f9703.sarif"
     }
    }
   ],
   "columnKind": "utf16CodeUnits"
  }
 ]
}

Any tip on how to get this working is highly appreciated.

[AndreyLevchenko]

Hi @eddynaka
As far I can understand the scenario described by @tricky42 the workflow is configured to build docker image and then scan it for vulnerabilities. This way no files can be referenced in the results section. What you can suggest for sarif structure?
Given that scanner can't provide references to specific files.

[eddynaka]

Hi @AndreyLevchenko ,

maybe i didn't understand much how Trivy works.
For example, what does Trivy analyzes? Does it analyze the docker itself or does it analyze the dockerfile?

If Trivy analyzes the docker itself: yeah, that's complex.
If Trivy analyzes the dockerfile: we would be able to say: "image xyz is bad and that image is line 123".

[AndreyLevchenko]

Trivy can check both, but in the scenario above entire docker image is checked. (So it's scenario 1)

[eddynaka]

HI @AndreyLevchenko ,

got it.
For scenario (1) we cannot do much since you are analyzing docker itself.
But, for scenario (2) we can improve the SARIF output and point to the line with which we have a problem.

What do you think?

[AndreyLevchenko]

So there is no option to return results without mentioning specific files in repository?

[eddynaka]

GH Security is trying to help developers fixing source code issues. With that in mind, if we don't have a file to point to, GH cannot render correctly the SARIF causing the issue above.

The SARIF itself can handle that.

[AndreyLevchenko]

@eddynaka thank you for the explanation.
@tricky42
probably then there is workaround to modify custom serif template to point to first line of your docker file for every vulnerability found. So entire locations section will be hardcoded.

[github-actions]

This issue is stale because it has been labeled with inactivity.

[AndreyLevchenko]

Hi
@tricky42 , @mgmgwi
Trivy 0.21.0 is released. It includes several SARIF related fixes. Please test it in your environments.
#1382
Thanks