SARIF with Trivy #930
Comments
It might be difficult for now, but everything else sounds really good. @eddynaka Looks like you already have the implementation you suggested. Are you able to contribute? Here is the template. |
knqyf263
added
help wanted
|
hi @knqyf263 , SARIF contains 4 levels (Error, Warning, Note, and None). We have to do a mapping from trivy to SARIF. Can you help me with that? |
|
You will find how to use the template here. The test is here. You can define a custom function converting Trivy's severities to SARIF levels. Trivy has 5 severities, CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN. What about the following mapping?
|
|
hi @knqyf263 , thanks for the mapping and the guidelines! We will open a PR soon! |
|
hi @knqyf263, Thanks for sharing the information. My OS is Windows 10 pro. Can I run trivy in windows 10? I don't see Windows related section in installation doc https://aquasecurity.github.io/trivy/latest/installation/ |
|
hi @knqyf263, Another question regarding sarif result. In current sarif template, the result artifact location uri is hard coded to "Dockerfile", and region is also hard coded to line 1/column 1. I see the output in usage screenshot https://github.com/aquasecurity/trivy/blob/main/docs/imgs/usage2.png it has file name in output e.g. "node-app/package-lock.json". How can I access this file path in template? Is the information about start/end line/column where the vulnerability occurs available to be used in template? |
|
hi @yongyan-gh
As you have observed, Trivy does require Go 1.16. While you cannot run functionally run Trivy as a scanner to scan for vulnerabilities on a Windows machine (as it is not a supported platform). But my guess is that you should be able to run the unit tests if you upgrade your Go version to 1.16, which looks to be the issue here.
This information comes from the Result.Target field. You can see a test here trivy/pkg/scanner/scan_test.go Line 71 in 8b3b5d0 In order to get this information within the template, you could get it via |
|
hi @simar7 , Thanks for the information I am able to run trivy after upgrade to Go 1.16. The detection functionalities don't run on Windows OS, I will try another supported OS / or run tests to verify the results. Is Target field a file path? Is it relative path or absolute path? Trying to create an Uri in sarif report which points to the particular file. Do we have information of which line/column of the file where the vulnerability is detected? |
Good questions. It is a path and to my knowledge, it's relative to the directory trivy is run from. As you mentioned, we can narrow it down to the appropriate file but we currently don't line/column information where the vulnerability is detected. |
|
@simar7, thanks for confirming, I think we can populate regions in sarif report whenever the information is available. One of comment is to provide a proper rule name:
Can you pls suggest how to construct the proper rule name using existing Result object? |
My approach here would be to first determine if its a programming language vulnerability or a package vulnerability. For this we have the following report Types available (accessible through the Type field) trivy/pkg/vulnerability/vulnerability.go Lines 82 to 105 in 6ed25c1 In this case if a programming language vulnerability (npm, nuget, ruby, cargo, etc.) is found, we could label it with a rule name of You can consider having this logic as conditionals in the SARIF template. I would define a new Hope this makes sense, if not feel free to ask more questions! happy to help. |
|
@simar7 thank you, it sounds a good suggestion for the rule name. Will create a custom function to handle the rule name conversion. Will send a PR for review soon. Thanks for your help! |
|
Hello I need help with generating report in Sarif format. I couldn't post my message as a new help-issue because of New Issues Experience - "No templates available for the current repository". The error has also affected trivy : https://github.com/orgs/community/discussions/151806#discussioncomment-12350548 Anyways, I am using Gitlab Ci/Cd and I am testing container scanning using trivy in docker-in-docker. I am using this command in my pipeline :-
However I got this error:
Any help with this error ? I am attaching a screenshot for reference. Also it works when other formats like html is used, but it only fails when using sarif format.
|
Hello!
We saw that you have some SARIF implementation in Trivy and we would like to enhance it!
Below a few things that we could change to improve:
• Provide helpUri for rules "pyup.io-37132" / "pyup.io-38303" / "pyup.io-39525"
• Remove character 'v' from start of version string. "v0.15.0" to "0.15.0"
• Provide proper rule name which makes it easy to understand and fix the problem. Currently, the rule name is hardcoded to "dockerfile_scan".
• Create a mapping between Trivy severities to SARIF level, remove the Trivy severity from rule id, and add defaultConfiguration section with corresponding SARIF level to rule.
E.g. rule id "[UNKNOWN] RUSTSEC-2019-0001" changed to "RUSTSEC-2019-0001", and add corresponding level information:
• Provide code snippet if possible for each result. Noticed that all results in this Trivy Sarif log, region is hardcoded to file “Dockerfile” and region start/end line/column hardcoded to 1.
• Current all results’ level are set to “error”,
• Provide contextRegion property if possible, to enable users to see a portion of the code that surrounds each result.
• Provide uriBaseId in result's artifactLocation property which references to a root path in originalUriBaseIds property under run object.
E.g. add originalUriBaseIds under run object.
In artifact location it can reference to this root path using uriBaseId REPO_ROOT
Attached you can see our suggestions implemented.
trivy_test_updated.zip
Let us know what you think!
The text was updated successfully, but these errors were encountered: