-
DescriptionAsff.tpl incorrectly escapes strings in descriptions using
It also incorrectly escapes the Desired BehaviorThe string to be correctly escaped. Actual BehaviorThe escaped string was incorrect and caused an error when pushing to security hub. This is the output: And the error from AWS CLI Escaping on the Reproduction Steps1. Scan a container with CVE-2021-23382 (e.g nodejs-postcss:7.0.21) and CVE-2022-24999 (e.g. qs:6.3.0)
2. Attempt to push the results to was security hub TargetContainer Image ScannerVulnerability Output FormatTemplate ModeStandalone Debug OutputAWS_REGION=eu-west-1 AWS_ACCOUNT_ID=$AWS_ACCOUNT_NUMBER REPO_NAME=$repo_name GITLAB_TOKEN=$GITLAB_PIPELINE_ACCESS_TOKEN trivy repo --format template --template "@asff.tpl" -o unformattedReport.asff $http_clone_url Operating SystemAlpine Version0.51 Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
Hello @IzaakBH Do you use latest I see escaped characters in your case: ➜ shasum ./contrib/asff.tpl
52029883e1ece437346275bb31ba18ede8093367 ./contrib/asff.tpl
➜ trivy fs -f template -t @contrib/asff.tpl /Users/work/work/temp/6667/package-lock.json | grep "The package postcss before"
"Description": "The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \\/\\*\\s* sourceMappingURL=(.*).", Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
That command gave
jq: parse error: Invalid numeric literal at line 1, column 12
But after manually inspecting the output, it saw that it was correctly escaped for the vulnerability Mentioned. I ran it through all the same manipulation our script is running and the output was still correctly escaped.
"The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*)."
My guess is either...
a) We didn't actually have the latest asff
b) There is some difference on mac vs linux (i am on mac but the server that saw the error is linux)
c) The server has an older version of trivy.
I will figure which of these it is and update.
Thanks for the help so far