Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sarif): handle empty artifactLocation.uri fields #8141

Open
nikpivkin opened this issue Dec 20, 2024 · 4 comments
Open

fix(sarif): handle empty artifactLocation.uri fields #8141

nikpivkin opened this issue Dec 20, 2024 · 4 comments

Comments

@nikpivkin
Copy link
Contributor

Related Issues:

In some cases, Trivy generates a SARIF report with an empty artifactLocation.uri. Although such reports successfully pass validation at https://sarifweb.azurewebsites.net/Validation, which is recommended by GitHub in their documentation, uploading them using the github/codeql-action/upload-sarif action fails with the following error:

Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location

This remains an unresolved issue:

Potential solutions:

  1. Remove results that do not meet the criteria from the report and log this.
  2. As suggested in a discussion, populate the artifactLocation.uri field with a dummy value.
@nikpivkin
Copy link
Contributor Author

@aquasecurity/trivy WDYT?

@DmitriyLewen
Copy link
Contributor

Correct me if I'm wrong:
We use Target field for secrets and licenses.
We also use Target or PkgPath for vulnerabilities.
So for them artifactLocation.uri is always non-empty.

This means we have to handle cases with misconfigs.
We can use modules (like terraform) for artifactLocation.uri (#7897)
And IIUC these modules can be empty.
Can we use the name of the file being scanned (e.g. main.tf) in this case?

@nikpivkin
Copy link
Contributor Author

The whole problem is that Target can be empty, so we can't fill in artifactLocation.uri. Users have encountered this when scanning images for vulnerabilities (see microsoft/sarif-sdk#2770 (comment))

@DmitriyLewen
Copy link
Contributor

thanks. I missed this comment.

I found the reason for empty Target.
It happens for SBOM files not generated by Trivy (when we can't determine filepath for Application).
But I think we need to fix this issue for Trivy - each result should contain Target.

I added logic to add filepath for aggregated languages ​​- #8052

But it seems that we always need to add filepath if we can't determine it (no matter what the reason).
But there is one problem with this:
We can show Application path or SBOM filepath - this can confuse users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants