Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify location.message in SARIF reports #3002

Closed
candrews opened this issue Oct 7, 2022 · 1 comment · Fixed by #3003
Closed

Specify location.message in SARIF reports #3002

candrews opened this issue Oct 7, 2022 · 1 comment · Fixed by #3003
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@candrews
Copy link
Contributor

candrews commented Oct 7, 2022

SARIF allows a "message" to be provided for a location and that can have more useful information. See:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317675

It would be helpful to set this property so SARIF consumers can display better information. It would be particularly nice if Trivy includes the file and the package name and version (ex, pom.xml:org.yaml:snakeyaml@1.30).
@candrews candrews added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 7, 2022
candrews added a commit to candrews/trivy that referenced this issue Oct 7, 2022
@candrews
feat(report): set location.message (aquasecurity#3002)
5383c79 
Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews added a commit to candrews/trivy that referenced this issue Oct 7, 2022
@candrews
feat(report): set location.message (aquasecurity#3002)
aaaa8ec 
Signed-off-by: Craig Andrews <candrews@integralblue.com>
@candrews candrews mentioned this issue Oct 7, 2022
Merged
6 tasks
candrews added a commit to candrews/trivy that referenced this issue Oct 8, 2022
@candrews
feat(report): set location.message (aquasecurity#3002)
ae018b7 
Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews added a commit to candrews/trivy that referenced this issue Oct 8, 2022
@candrews
feat(report): set location.message (aquasecurity#3002)
f87f9a1 
Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews added a commit to candrews/trivy that referenced this issue Oct 11, 2022
@candrews
feat(report): set location.message (aquasecurity#3002)
2b5fc99 
Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews added a commit to candrews/trivy that referenced this issue Oct 11, 2022
@candrews
feat(report): set location.message (aquasecurity#3002)
68128f1 
Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews added a commit to candrews/trivy that referenced this issue Oct 11, 2022
@candrews
feat(report): set location.message (aquasecurity#3002)
3b7566c 
Signed-off-by: Craig Andrews <candrews@integralblue.com>
knqyf263 pushed a commit that referenced this issue Oct 12, 2022
@candrews @afdesk
feat(report): add location.message to SARIF output (#3002) (#3003)
d35c668 
Signed-off-by: Craig Andrews <candrews@integralblue.com>
Co-authored-by: AMF <work@afdesk.com>
@xomgc3
Copy link

xomgc3 commented Jan 12, 2023
edited

I'd like to piggy-back onto this issue, @candrews. The file path needs to be added to the message. When scanning multiple files of the same type, this is insufficient:

"message": {
  "text": "Dockerfile"
}

This is the command:

trivy config  --format sarif --exit-code  1 --severity  CRITICAL,HIGH --output  trivy-results.sarif ./my/nested/dir

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(report): add location.message to SARIF output (#3002) candrews/trivy
2 participants
@candrews @xomgc3