Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sarif json is not escaping \n on results.message.text #5566

Closed
2 tasks done
DmitriyLewen opened this issue Nov 14, 2023 Discussed in #5559 · 0 comments · Fixed by #5568
Closed
2 tasks done

Sarif json is not escaping \n on results.message.text #5566

DmitriyLewen opened this issue Nov 14, 2023 Discussed in #5559 · 0 comments · Fixed by #5568
Assignees
@DmitriyLewen
Labels
scan/license Issues relating to license scanning scan/misconfiguration Issues relating to misconfiguration scanning scan/secret Issues relating to secret scanning scan/vulnerability Issues relating to vulnerability scanning

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #5559

Originally posted by pragmaticivan November 13, 2023

Description

Sarif format is not correctly escaping. It's using \n instead of \\n. This is breaking decoders such as json.NewDecoder(reader).Decode(sarifStruct).

{
          "ruleId": "DS002",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "text": "Artifact: Dev.dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "Dev.dockerfile",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "Dev.dockerfile"
              }
            }
          ]
        },

Desired Behavior

{
          "ruleId": "DS002",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "text": "Artifact: Dev.dockerfile\\nType: dockerfile\\nVulnerability DS002\\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "Dev.dockerfile",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "Dev.dockerfile"
              }
            }
          ]
        },

It should be escaping with \\n instead.

Actual Behavior

Adds \n in the json string value.

Reproduction Steps

1. generate a sarif file with example above.
2. Decode with json decoder (go)
3. Error: `parse error: invalid character '\n' in string literal`
...

Target

Filesystem

Scanner

Misconfiguration

Output Format

SARIF

Mode

Standalone

Debug Output

There's no error on trivy side, only when parsing the SARIF json.

Operating System

Github Action (Ubuntu)

Version

0.14.0

Checklist
@DmitriyLewen DmitriyLewen added scan/vulnerability Issues relating to vulnerability scanning scan/misconfiguration Issues relating to misconfiguration scanning scan/secret Issues relating to secret scanning scan/license Issues relating to license scanning labels Nov 14, 2023
@DmitriyLewen DmitriyLewen self-assigned this Nov 14, 2023
@DmitriyLewen DmitriyLewen mentioned this issue Nov 14, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
scan/license Issues relating to license scanning scan/misconfiguration Issues relating to misconfiguration scanning scan/secret Issues relating to secret scanning scan/vulnerability Issues relating to vulnerability scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(report): add escaping for Sarif format DmitriyLewen/trivy
1 participant
@DmitriyLewen