Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(report): removes git::http from uri in sarif #5244

Merged
merged 2 commits into from
Oct 2, 2023
Merged

fix(report): removes git::http from uri in sarif #5244

merged 2 commits into from
Oct 2, 2023

Conversation

megalucio
Copy link
Contributor

@megalucio megalucio commented Sep 25, 2023
edited
Loading

Description

Sarif files are being generated with "git:http://" inside the uri fields which are invalid. This change will strip of the string, leaving the sarif files being valid and therefore able to upload to github which is failing at the minute.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@megalucio
fix(sarif): removes git::http from uri in sarif
c7353d0 
* fix(sarif): removes git::http from uri in sarif

## Description

## Related issues
- Fixes aquasecurity#5003

## Checklist
- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
@CLAassistant
Copy link

CLAassistant commented Sep 25, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@megalucio megalucio marked this pull request as ready for review September 25, 2023 20:18
@megalucio megalucio changed the title fix(sarif): removes git::http from uri in sarif fix(report): removes git::http from uri in sarif Sep 25, 2023
@simar7 simar7 self-requested a review September 30, 2023 03:29
@simar7
Copy link
Member

simar7 commented Oct 2, 2023

@knqyf263 I have reviewed the changes and they are fine to me, do you want to review as well?

@knqyf263
Copy link
Collaborator

knqyf263 commented Oct 2, 2023

@knqyf263 I have reviewed the changes and they are fine to me, do you want to review as well?

It is enough as you reviewed it. I'll merge it.

@knqyf263 knqyf263 added this pull request to the merge queue Oct 2, 2023
Merged via the queue into aquasecurity:main with commit 23b5fec Oct 2, 2023
12 checks passed
@musabmasood
Copy link

Can you double check if this has really been fixed in the latest version?

Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-19 12:21:53.447611675 +0000 UTC
  NextUpdate: 2023-10-19 18:21:53.447610575 +0000 UTC
  DownloadedAt: 2023-10-19 15:26:37.85902 +0000 UTC
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-11-07 19:05:18.123689 +0000 UTC

The git::https is still present in URIs

trivy config ./myterraformcode -f sarif -o myresults.sarif

# within the result
{
          "ruleId": "AVD-GCP-0015",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: git::https:/github.com/GoogleCloudPlatform/terraform-google-sql-db?ref=v15.1.0/modules/mysql/main.tf\nType: terraform\nVulnerability AVD-GCP-0015\nSeverity: HIGH\nMessage: Database instance does not require TLS for all connections.\nLink: [AVD-GCP-0015](https://avd.aquasec.com/misconfig/avd-gcp-0015)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "git::https:/github.com/GoogleCloudPlatform/terraform-google-sql-db?ref=v15.1.0/modules/mysql/main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 120,
                  "startColumn": 1,
                  "endLine": 120,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "git::https:/github.com/GoogleCloudPlatform/terraform-google-sql-db?ref=v15.1.0/modules/mysql/main.tf"
              }
            }
          ]
        },

@musabmasood
Copy link

I am getting around with --tf-exclude-downloaded-modules. I github rejects the SARIF because of 3rd party modules.

@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

@nikpivkin nikpivkin Awaiting requested review from nikpivkin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: SARIF URI scheme "git" did not match the checkout URI scheme "file"
5 participants
@megalucio @CLAassistant @simar7 @knqyf263 @musabmasood