Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent report between the SARIF and JSON format #2801

Closed
Mikaciu opened this issue Sep 1, 2022 · 2 comments · Fixed by #2820
Closed

Inconsistent report between the SARIF and JSON format #2801

Mikaciu opened this issue Sep 1, 2022 · 2 comments · Fixed by #2820
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@Mikaciu
Copy link

Mikaciu commented Sep 1, 2022

Description

Hello,

I have a discrepancy between the SARIF output and the JSON output. I have an issue reported in the JSON report ("RuleID": "sendgrid-api-token"), but this issue does not show in the SARIF report.

What did you expect to happen?

The same results in the SARIF report as in the JSON report.

What happened instead?

The SARIF report is empty

Output of run with -debug:

$ trivy fs --security-checks vuln,config,secret . --exit-code 1 --format sarif --output trivy_report_fs.sarif --debug
2022-09-01T12:10:53.439+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-01T12:10:53.442+0200    DEBUG   cache dir:  /home/mika/.cache/trivy
2022-09-01T12:10:53.442+0200    DEBUG   DB update was skipped because the local DB is the latest
2022-09-01T12:10:53.442+0200    DEBUG   DB Schema: 2, UpdatedAt: 2022-09-01 06:14:05.457025002 +0000 UTC, NextUpdate: 2022-09-01 12:14:05.457024602 +0000 UTC, DownloadedAt: 2022-09-01 09:47:51.791175466 +0000 UTC
2022-09-01T12:10:53.443+0200    INFO    Vulnerability scanning is enabled
2022-09-01T12:10:53.443+0200    DEBUG   Vulnerability type:  [os library]
2022-09-01T12:10:53.443+0200    INFO    Misconfiguration scanning is enabled
2022-09-01T12:10:53.443+0200    INFO    Secret scanning is enabled
2022-09-01T12:10:53.443+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-01T12:10:53.443+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-01T12:10:53.443+0200    DEBUG   No secret config detected: trivy-secret.yaml
2022-09-01T12:10:54.099+0200    DEBUG   OS is not detected.
2022-09-01T12:10:54.099+0200    DEBUG   Detected OS: unknown
2022-09-01T12:10:54.099+0200    INFO    Number of language-specific files: 0
2022-09-01T12:10:54.099+0200    INFO    Detected config files: 1
2022-09-01T12:10:54.099+0200    DEBUG   Scanned config file: docker/Dockerfile
2022-09-01T12:10:54.099+0200    DEBUG   Secret file: XXXXXX/appsettings.json

$ trivy fs --security-checks vuln,config,secret . --exit-code 1 --format json --output trivy_report_fs.json --debug
2022-09-01T12:09:57.031+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-01T12:09:57.033+0200    DEBUG   cache dir:  /home/mika/.cache/trivy
2022-09-01T12:09:57.033+0200    DEBUG   DB update was skipped because the local DB is the latest
2022-09-01T12:09:57.034+0200    DEBUG   DB Schema: 2, UpdatedAt: 2022-09-01 06:14:05.457025002 +0000 UTC, NextUpdate: 2022-09-01 12:14:05.457024602 +0000 UTC, DownloadedAt: 2022-09-01 09:47:51.791175466 +0000 UTC
2022-09-01T12:09:57.034+0200    INFO    Vulnerability scanning is enabled
2022-09-01T12:09:57.034+0200    DEBUG   Vulnerability type:  [os library]
2022-09-01T12:09:57.034+0200    INFO    Misconfiguration scanning is enabled
2022-09-01T12:09:57.034+0200    INFO    Secret scanning is enabled
2022-09-01T12:09:57.034+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-01T12:09:57.034+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-01T12:09:57.034+0200    DEBUG   No secret config detected: trivy-secret.yaml
2022-09-01T12:09:57.672+0200    DEBUG   OS is not detected.
2022-09-01T12:09:57.672+0200    DEBUG   Detected OS: unknown
2022-09-01T12:09:57.672+0200    INFO    Number of language-specific files: 0
2022-09-01T12:09:57.672+0200    INFO    Detected config files: 1
2022-09-01T12:09:57.672+0200    DEBUG   Scanned config file: docker/Dockerfile
2022-09-01T12:09:57.672+0200    DEBUG   Secret file: XXXXXX/appsettings.json

$ cat trivy_report_fs.sarif | jq '.runs[].results'
[]

$ cat trivy_report_fs.json  | jq '.Results | length'
2

Output of trivy -v:

Version: 0.31.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-09-01 06:14:05.457025002 +0000 UTC
  NextUpdate: 2022-09-01 12:14:05.457024602 +0000 UTC
  DownloadedAt: 2022-09-01 09:47:51.791175466 +0000 UTC
@Mikaciu Mikaciu added the kind/bug Categorizes issue or PR as related to a bug. label Sep 1, 2022
@DmitriyLewen DmitriyLewen mentioned this issue Sep 2, 2022
Merged
6 tasks
@DmitriyLewen
Copy link
Contributor

Hello @Mikaciu
Thanks for your report!

If I understand correctly, this is because sarif format doesn't currently contain secrets.
Let me know if your json report contains vulnerabilities or misconfigurations.

I created PR(#2820) where I added secrets to the sarif format.

I'll write to you when this PR is merged.

Regards, Dmitriy

@Mikaciu
Copy link
Author

Mikaciu commented Sep 13, 2022

Thanks !
I'm eagerly waiting for the new trivy brew version ;)
BR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(report): add secrets to sarif format aquasecurity/trivy
2 participants
@Mikaciu @DmitriyLewen