From 22d2755f774d925b191a185b74e782a4b0638a41 Mon Sep 17 00:00:00 2001 From: Kyle Davies <98526301+kderck@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:27:47 +0000 Subject: [PATCH 01/21] feature(config): add terraform variable files (#285) * Action now takes an input for terraform variable filess * added tf-vars * updated README.md * Updated yamlconfig test to latest version of trivy output for that container * updated for correct cpu type * test trivy version change to 0.45.0 * run scan with correct parameters * Added test for terraform tfvars * Updated output for other tests * use test data as path and updated tf vars to be relative * removed quiet --- README.md | 1 + action.yaml | 5 + entrypoint.sh | 9 +- test/data/config-sarif.test | 486 ++++++++++++++++++++++++++++++ test/data/config.test | 581 ++++++++++++++++++++++++++++++++++++ test/data/dev.tfvars | 2 + test/data/fs-scheck.test | 581 ++++++++++++++++++++++++++++++++++++ test/data/main.tf | 18 ++ test/data/tfvars.test | 39 +++ test/data/yamlconfig.test | 10 +- test/test.bats | 8 + 11 files changed, 1734 insertions(+), 6 deletions(-) create mode 100644 test/data/dev.tfvars create mode 100644 test/data/main.tf create mode 100644 test/data/tfvars.test diff --git a/README.md b/README.md index eba39ff0..69cc0c00 100644 --- a/README.md +++ b/README.md @@ -491,6 +491,7 @@ Following inputs can be used as `step.with` keys: | `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | | `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) | | `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | +| `tf-vars` | String | | path to Terraform variables file | | `output` | String | | Save results to a file | | `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | | `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities | diff --git a/action.yaml b/action.yaml index 3e37c9ba..c6f457a5 100644 --- a/action.yaml +++ b/action.yaml @@ -88,6 +88,9 @@ inputs: trivy-config: description: 'path to trivy.yaml config' required: false + tf-vars: + description: "path to terraform tfvars file" + required: false limit-severities-for-sarif: description: 'limit severities for SARIF format' required: false @@ -118,4 +121,6 @@ runs: - '-t ${{ inputs.trivyignores }}' - '-u ${{ inputs.github-pat }}' - '-v ${{ inputs.trivy-config }}' + - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' + \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 22befadf..8d3563db 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do v) export trivyConfig=${OPTARG} ;; + x) + export tfVars=${OPTARG} + ;; z) export limitSeveritiesForSARIF=${OPTARG} ;; @@ -132,6 +135,10 @@ if [ $skipDirs ];then SARIF_ARGS="$SARIF_ARGS --skip-dirs $i" done fi +if [ $tfVars ] && [ "$scanType" == "config" ];then + ARGS="$ARGS --tf-vars $tfVars" +fi + if [ $trivyIgnores ];then for f in $(echo $trivyIgnores | tr "," "\n") do diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index 79500ae4..a3ce2473 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -62,6 +62,249 @@ "LOW" ] } + }, + { + "id": "AVD-AWS-0086", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should block public ACL" + }, + "fullDescription": { + "text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086", + "help": { + "text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0087", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should block public policy" + }, + "fullDescription": { + "text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087", + "help": { + "text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0088", + "name": "Misconfiguration", + "shortDescription": { + "text": "Unencrypted S3 bucket." + }, + "fullDescription": { + "text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088", + "help": { + "text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0089", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Bucket Logging" + }, + "fullDescription": { + "text": "Ensures S3 bucket logging is enabled for S3 buckets" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089", + "help": { + "text": "Misconfiguration AVD-AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets", + "markdown": "**Misconfiguration AVD-AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "misconfiguration", + "security", + "LOW" + ] + } + }, + { + "id": "AVD-AWS-0090", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Data should be versioned" + }, + "fullDescription": { + "text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090", + "help": { + "text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "misconfiguration", + "security", + "MEDIUM" + ] + } + }, + { + "id": "AVD-AWS-0091", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access Block should Ignore Public Acl" + }, + "fullDescription": { + "text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091", + "help": { + "text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0093", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should restrict public bucket to limit access" + }, + "fullDescription": { + "text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093", + "help": { + "text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0094", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 buckets should each define an aws_s3_bucket_public_access_block" + }, + "fullDescription": { + "text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094", + "help": { + "text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "misconfiguration", + "security", + "LOW" + ] + } + }, + { + "id": "AVD-AWS-0132", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 encryption should use Customer Managed Keys" + }, + "fullDescription": { + "text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132", + "help": { + "text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } } ], "version": "0.45.0" @@ -121,6 +364,249 @@ } } ] + }, + { + "ruleId": "AVD-AWS-0086", + "ruleIndex": 2, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0086\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0087", + "ruleIndex": 3, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0087\nSeverity: HIGH\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0088", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0089", + "ruleIndex": 5, + "level": "note", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0090", + "ruleIndex": 6, + "level": "warning", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 16, + "startColumn": 1, + "endLine": 16, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0091", + "ruleIndex": 7, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0093", + "ruleIndex": 8, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0093\nSeverity: HIGH\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0094", + "ruleIndex": 9, + "level": "note", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0094\nSeverity: LOW\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0132", + "ruleIndex": 10, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] } ], "columnKind": "utf16CodeUnits", diff --git a/test/data/config.test b/test/data/config.test index bc7c3578..33de38a4 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -78,6 +78,587 @@ } } ] + }, + { + "Target": "test/data", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 2, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "test/data/main.tf", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 1, + "Failures": 9, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0086", + "AVDID": "AVD-AWS-0086", + "Title": "S3 Access block should block public ACL", + "Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "Message": "No public access block so not blocking public acls", + "Query": "data..", + "Resolution": "Enable blocking any PUT calls with a public ACL specified", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0086" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0087", + "AVDID": "AVD-AWS-0087", + "Title": "S3 Access block should block public policy", + "Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "Message": "No public access block so not blocking public policies", + "Query": "data..", + "Resolution": "Prevent policies that allow public access being PUT", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0087" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0088", + "AVDID": "AVD-AWS-0088", + "Title": "Unencrypted S3 bucket.", + "Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "Message": "Bucket does not have encryption enabled", + "Query": "data..", + "Resolution": "Configure bucket encryption", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", + "https://avd.aquasec.com/misconfig/avd-aws-0088" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0089", + "AVDID": "AVD-AWS-0089", + "Title": "S3 Bucket Logging", + "Description": "Ensures S3 bucket logging is enabled for S3 buckets", + "Message": "Bucket has logging disabled", + "Namespace": "builtin.aws.s3.aws0089", + "Query": "data.builtin.aws.s3.aws0089.deny", + "Resolution": "Add a logging block to the resource to enable access logging", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html", + "https://avd.aquasec.com/misconfig/avd-aws-0089" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0090", + "AVDID": "AVD-AWS-0090", + "Title": "S3 Data should be versioned", + "Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "Message": "Bucket does not have versioning enabled", + "Query": "data..", + "Resolution": "Enable versioning to protect against accidental/malicious removal or modification", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html", + "https://avd.aquasec.com/misconfig/avd-aws-0090" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket_versioning.bucket_versioning", + "Provider": "AWS", + "Service": "s3", + "StartLine": 16, + "EndLine": 16, + "Code": { + "Lines": [ + { + "Number": 12, + "Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " bucket = aws_s3_bucket.bucket.id", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " versioning_configuration {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " status = var.bucket_versioning_enabled", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": true + }, + { + "Number": 17, + "Content": " }", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": "}", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Occurrences": [ + { + "Resource": "versioning_configuration", + "Filename": "test/data/main.tf", + "Location": { + "StartLine": 15, + "EndLine": 17 + } + }, + { + "Resource": "aws_s3_bucket_versioning.bucket_versioning", + "Filename": "test/data/main.tf", + "Location": { + "StartLine": 12, + "EndLine": 18 + } + } + ] + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0091", + "AVDID": "AVD-AWS-0091", + "Title": "S3 Access Block should Ignore Public Acl", + "Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "Message": "No public access block so not ignoring public acls", + "Query": "data..", + "Resolution": "Enable ignoring the application of public ACLs in PUT calls", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0091" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0093", + "AVDID": "AVD-AWS-0093", + "Title": "S3 Access block should restrict public bucket to limit access", + "Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "Message": "No public access block so not restricting public buckets", + "Query": "data..", + "Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0093" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0094", + "AVDID": "AVD-AWS-0094", + "Title": "S3 buckets should each define an aws_s3_bucket_public_access_block", + "Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "Message": "Bucket does not have a corresponding public access block.", + "Query": "data..", + "Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0094" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0132", + "AVDID": "AVD-AWS-0132", + "Title": "S3 encryption should use Customer Managed Keys", + "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "Message": "Bucket does not encrypt data with a customer managed key.", + "Query": "data..", + "Resolution": "Enable encryption using customer managed keys", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", + "https://avd.aquasec.com/misconfig/avd-aws-0132" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] } ] } diff --git a/test/data/dev.tfvars b/test/data/dev.tfvars new file mode 100644 index 00000000..6fc5f84b --- /dev/null +++ b/test/data/dev.tfvars @@ -0,0 +1,2 @@ +# test data for trivy config with terraform variables +bucket_versioning_enabled="Enabled" \ No newline at end of file diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index bc7c3578..33de38a4 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -78,6 +78,587 @@ } } ] + }, + { + "Target": "test/data", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 2, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "test/data/main.tf", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 1, + "Failures": 9, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0086", + "AVDID": "AVD-AWS-0086", + "Title": "S3 Access block should block public ACL", + "Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "Message": "No public access block so not blocking public acls", + "Query": "data..", + "Resolution": "Enable blocking any PUT calls with a public ACL specified", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0086" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0087", + "AVDID": "AVD-AWS-0087", + "Title": "S3 Access block should block public policy", + "Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "Message": "No public access block so not blocking public policies", + "Query": "data..", + "Resolution": "Prevent policies that allow public access being PUT", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0087" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0088", + "AVDID": "AVD-AWS-0088", + "Title": "Unencrypted S3 bucket.", + "Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "Message": "Bucket does not have encryption enabled", + "Query": "data..", + "Resolution": "Configure bucket encryption", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", + "https://avd.aquasec.com/misconfig/avd-aws-0088" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0089", + "AVDID": "AVD-AWS-0089", + "Title": "S3 Bucket Logging", + "Description": "Ensures S3 bucket logging is enabled for S3 buckets", + "Message": "Bucket has logging disabled", + "Namespace": "builtin.aws.s3.aws0089", + "Query": "data.builtin.aws.s3.aws0089.deny", + "Resolution": "Add a logging block to the resource to enable access logging", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html", + "https://avd.aquasec.com/misconfig/avd-aws-0089" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0090", + "AVDID": "AVD-AWS-0090", + "Title": "S3 Data should be versioned", + "Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "Message": "Bucket does not have versioning enabled", + "Query": "data..", + "Resolution": "Enable versioning to protect against accidental/malicious removal or modification", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html", + "https://avd.aquasec.com/misconfig/avd-aws-0090" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket_versioning.bucket_versioning", + "Provider": "AWS", + "Service": "s3", + "StartLine": 16, + "EndLine": 16, + "Code": { + "Lines": [ + { + "Number": 12, + "Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " bucket = aws_s3_bucket.bucket.id", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " versioning_configuration {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " status = var.bucket_versioning_enabled", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": true + }, + { + "Number": 17, + "Content": " }", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": "}", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Occurrences": [ + { + "Resource": "versioning_configuration", + "Filename": "test/data/main.tf", + "Location": { + "StartLine": 15, + "EndLine": 17 + } + }, + { + "Resource": "aws_s3_bucket_versioning.bucket_versioning", + "Filename": "test/data/main.tf", + "Location": { + "StartLine": 12, + "EndLine": 18 + } + } + ] + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0091", + "AVDID": "AVD-AWS-0091", + "Title": "S3 Access Block should Ignore Public Acl", + "Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "Message": "No public access block so not ignoring public acls", + "Query": "data..", + "Resolution": "Enable ignoring the application of public ACLs in PUT calls", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0091" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0093", + "AVDID": "AVD-AWS-0093", + "Title": "S3 Access block should restrict public bucket to limit access", + "Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "Message": "No public access block so not restricting public buckets", + "Query": "data..", + "Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0093" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0094", + "AVDID": "AVD-AWS-0094", + "Title": "S3 buckets should each define an aws_s3_bucket_public_access_block", + "Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "Message": "Bucket does not have a corresponding public access block.", + "Query": "data..", + "Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0094" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0132", + "AVDID": "AVD-AWS-0132", + "Title": "S3 encryption should use Customer Managed Keys", + "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "Message": "Bucket does not encrypt data with a customer managed key.", + "Query": "data..", + "Resolution": "Enable encryption using customer managed keys", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", + "https://avd.aquasec.com/misconfig/avd-aws-0132" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] } ] } diff --git a/test/data/main.tf b/test/data/main.tf new file mode 100644 index 00000000..85208bb2 --- /dev/null +++ b/test/data/main.tf @@ -0,0 +1,18 @@ +# test data for trivy config with terraform variables + +variable "bucket_versioning_enabled" { + type = string + default = "Disabled" +} + +resource "aws_s3_bucket" "bucket" { + bucket = "trivy-action-bucket" +} + +resource "aws_s3_bucket_versioning" "bucket_versioning" { + bucket = aws_s3_bucket.bucket.id + + versioning_configuration { + status = var.bucket_versioning_enabled + } +} \ No newline at end of file diff --git a/test/data/tfvars.test b/test/data/tfvars.test new file mode 100644 index 00000000..428b11b3 --- /dev/null +++ b/test/data/tfvars.test @@ -0,0 +1,39 @@ +{ + "SchemaVersion": 2, + "ArtifactName": "test/data", + "ArtifactType": "filesystem", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": ".", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 2, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "main.tf", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 1, + "Failures": 0, + "Exceptions": 0 + } + } + ] +} diff --git a/test/data/yamlconfig.test b/test/data/yamlconfig.test index b34ab8ab..d04683cf 100644 --- a/test/data/yamlconfig.test +++ b/test/data/yamlconfig.test @@ -98,15 +98,15 @@ "https://access.redhat.com/security/cve/CVE-2021-36159", "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", "https://www.cve.org/CVERecord?id=CVE-2021-36159" ], "PublishedDate": "2021-08-03T14:15:00Z", - "LastModifiedDate": "2021-10-18T12:19:00Z" + "LastModifiedDate": "2023-11-07T03:36:00Z" } ] } diff --git a/test/test.bats b/test/test.bats index 13a69ced..5301eab1 100644 --- a/test/test.bats +++ b/test/test.bats @@ -81,3 +81,11 @@ bats_load_library bats-file echo "$output" assert_files_equal yamlconfig.test ./test/data/yamlconfig.test } + +@test "trivy config with terraform variables" { + # trivy config --format json --severity MEDIUM --output tfvars.test --tf-vars ./test/data/dev.tfvars ./test/data + run ./entrypoint.sh "-a config" "-j ./test/data" "-h tfvars.test" "-g MEDIUM" "-x dev.tfvars" "-b json" + run diff tfvars.test ./test/data/tfvars.test + echo "$output" + assert_files_equal tfvars.test ./test/data/tfvars.test +} \ No newline at end of file From 91713af97dc80187565512baba96e4364e983601 Mon Sep 17 00:00:00 2001 From: Ivan Santos <301291+pragmaticivan@users.noreply.github.com> Date: Fri, 8 Dec 2023 12:08:35 -0600 Subject: [PATCH 02/21] Update to trivy version 0.48.0 (#289) * Update to trivy version 0.48.0 --------- Signed-off-by: Simar Co-authored-by: Simar --- .github/workflows/build.yaml | 4 +- Dockerfile | 2 +- test/data/config-sarif.test | 72 ++++++++++++++++++------------------ test/data/config.test | 31 ++++++++++++++++ test/data/fs-scheck.test | 31 ++++++++++++++++ test/data/image-sarif.test | 2 +- test/data/repo.test | 1 + test/data/tfvars.test | 1 + test/data/yamlconfig.test | 3 +- 9 files changed, 106 insertions(+), 41 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f4d2a52f..46e63a86 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.45.0 + TRIVY_VERSION: 0.48.0 BATS_LIB_PATH: '/usr/lib/' jobs: build: @@ -25,4 +25,4 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }} - name: Test - run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing . \ No newline at end of file + run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing . diff --git a/Dockerfile b/Dockerfile index 05cd4a6a..ebbe6bd8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.47.0 +FROM ghcr.io/aquasecurity/trivy:0.48.0 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index a3ce2473..5269f310 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -1,6 +1,6 @@ { "version": "2.1.0", - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", "runs": [ { "tool": { @@ -23,8 +23,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/ds002", "help": { - "text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile." + "text": "Misconfiguration DS002\\nType: Dockerfile Security Check\\nSeverity: HIGH\\nCheck: Image user should not be 'root'\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "markdown": "**Misconfiguration DS002**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\\n\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile." }, "properties": { "precision": "very-high", @@ -50,8 +50,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/ds026", "help": { - "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." + "text": "Misconfiguration DS026\\nType: Dockerfile Security Check\\nSeverity: LOW\\nCheck: No HEALTHCHECK defined\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "markdown": "**Misconfiguration DS026**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\\n\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." }, "properties": { "precision": "very-high", @@ -77,8 +77,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086", "help": { - "text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", - "markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" + "text": "Misconfiguration AVD-AWS-0086\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public ACL\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "markdown": "**Misconfiguration AVD-AWS-0086**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\\n\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" }, "properties": { "precision": "very-high", @@ -104,8 +104,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087", "help": { - "text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", - "markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" + "text": "Misconfiguration AVD-AWS-0087\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public policy\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "markdown": "**Misconfiguration AVD-AWS-0087**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\\n\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" }, "properties": { "precision": "very-high", @@ -131,8 +131,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088", "help": { - "text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", - "markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." + "text": "Misconfiguration AVD-AWS-0088\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: Unencrypted S3 bucket.\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "markdown": "**Misconfiguration AVD-AWS-0088**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\\n\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." }, "properties": { "precision": "very-high", @@ -158,8 +158,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089", "help": { - "text": "Misconfiguration AVD-AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets", - "markdown": "**Misconfiguration AVD-AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets" + "text": "Misconfiguration AVD-AWS-0089\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 Bucket Logging\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\\nEnsures S3 bucket logging is enabled for S3 buckets", + "markdown": "**Misconfiguration AVD-AWS-0089**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\\n\\nEnsures S3 bucket logging is enabled for S3 buckets" }, "properties": { "precision": "very-high", @@ -185,8 +185,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090", "help": { - "text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", - "markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + "text": "Misconfiguration AVD-AWS-0090\\nType: Terraform Security Check\\nSeverity: MEDIUM\\nCheck: S3 Data should be versioned\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "markdown": "**Misconfiguration AVD-AWS-0090**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\\n\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" }, "properties": { "precision": "very-high", @@ -212,8 +212,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091", "help": { - "text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", - "markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + "text": "Misconfiguration AVD-AWS-0091\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access Block should Ignore Public Acl\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "markdown": "**Misconfiguration AVD-AWS-0091**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\\n\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" }, "properties": { "precision": "very-high", @@ -239,8 +239,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093", "help": { - "text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", - "markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." + "text": "Misconfiguration AVD-AWS-0093\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should restrict public bucket to limit access\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "markdown": "**Misconfiguration AVD-AWS-0093**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\\n\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." }, "properties": { "precision": "very-high", @@ -266,8 +266,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094", "help": { - "text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", - "markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." + "text": "Misconfiguration AVD-AWS-0094\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "markdown": "**Misconfiguration AVD-AWS-0094**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\\n\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." }, "properties": { "precision": "very-high", @@ -293,8 +293,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132", "help": { - "text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", - "markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." + "text": "Misconfiguration AVD-AWS-0132\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 encryption should use Customer Managed Keys\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "markdown": "**Misconfiguration AVD-AWS-0132**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\\n\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." }, "properties": { "precision": "very-high", @@ -307,7 +307,7 @@ } } ], - "version": "0.45.0" + "version": "0.48.0" } }, "results": [ @@ -316,7 +316,7 @@ "ruleIndex": 0, "level": "error", "message": { - "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)" + "text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS002\\nSeverity: HIGH\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)" }, "locations": [ { @@ -343,7 +343,7 @@ "ruleIndex": 1, "level": "note", "message": { - "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)" + "text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS026\\nSeverity: LOW\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)" }, "locations": [ { @@ -370,7 +370,7 @@ "ruleIndex": 2, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0086\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0086\\nSeverity: HIGH\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)" }, "locations": [ { @@ -397,7 +397,7 @@ "ruleIndex": 3, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0087\nSeverity: HIGH\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0087\\nSeverity: HIGH\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)" }, "locations": [ { @@ -424,7 +424,7 @@ "ruleIndex": 4, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0088\\nSeverity: HIGH\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)" }, "locations": [ { @@ -451,7 +451,7 @@ "ruleIndex": 5, "level": "note", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0089\\nSeverity: LOW\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)" }, "locations": [ { @@ -478,7 +478,7 @@ "ruleIndex": 6, "level": "warning", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0090\\nSeverity: MEDIUM\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)" }, "locations": [ { @@ -505,7 +505,7 @@ "ruleIndex": 7, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0091\\nSeverity: HIGH\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)" }, "locations": [ { @@ -532,7 +532,7 @@ "ruleIndex": 8, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0093\nSeverity: HIGH\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0093\\nSeverity: HIGH\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)" }, "locations": [ { @@ -559,7 +559,7 @@ "ruleIndex": 9, "level": "note", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0094\nSeverity: LOW\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0094\\nSeverity: LOW\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)" }, "locations": [ { @@ -586,7 +586,7 @@ "ruleIndex": 10, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0132\\nSeverity: HIGH\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)" }, "locations": [ { @@ -612,7 +612,7 @@ "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": { - "uri": "file:///" + "uri": "file:///Users/simarpreetsingh/repos/trivy-action/" } } } diff --git a/test/data/config.test b/test/data/config.test index 33de38a4..df498d2a 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:02:54.295987-07:00", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { @@ -130,6 +131,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -139,6 +141,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -148,6 +151,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -186,6 +190,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -195,6 +200,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -204,6 +210,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -242,6 +249,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -251,6 +259,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -260,6 +269,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -299,6 +309,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -308,6 +319,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -317,6 +329,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -355,6 +368,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {", "FirstCause": false, "LastCause": false }, @@ -364,6 +378,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id", "FirstCause": false, "LastCause": false }, @@ -382,6 +397,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " versioning_configuration {", "FirstCause": false, "LastCause": false }, @@ -391,6 +407,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled", "FirstCause": true, "LastCause": true }, @@ -400,6 +417,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " }", "FirstCause": false, "LastCause": false }, @@ -409,6 +427,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": "}", "FirstCause": false, "LastCause": false } @@ -465,6 +484,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -474,6 +494,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -483,6 +504,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -521,6 +543,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -530,6 +553,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -539,6 +563,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -577,6 +602,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -586,6 +612,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -595,6 +622,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -633,6 +661,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -642,6 +671,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -651,6 +681,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index 33de38a4..30474a40 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:02:56.571535-07:00", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { @@ -130,6 +131,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -139,6 +141,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -148,6 +151,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -186,6 +190,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -195,6 +200,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -204,6 +210,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -242,6 +249,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -251,6 +259,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -260,6 +269,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -299,6 +309,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -308,6 +319,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -317,6 +329,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -355,6 +368,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {", "FirstCause": false, "LastCause": false }, @@ -364,6 +378,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id", "FirstCause": false, "LastCause": false }, @@ -382,6 +397,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " versioning_configuration {", "FirstCause": false, "LastCause": false }, @@ -391,6 +407,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled", "FirstCause": true, "LastCause": true }, @@ -400,6 +417,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " }", "FirstCause": false, "LastCause": false }, @@ -409,6 +427,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": "}", "FirstCause": false, "LastCause": false } @@ -465,6 +484,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -474,6 +494,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -483,6 +504,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -521,6 +543,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -530,6 +553,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -539,6 +563,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -577,6 +602,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -586,6 +612,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -595,6 +622,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -633,6 +661,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -642,6 +671,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -651,6 +681,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } diff --git a/test/data/image-sarif.test b/test/data/image-sarif.test index 932ff7bc..c6295c9d 100644 --- a/test/data/image-sarif.test +++ b/test/data/image-sarif.test @@ -74,4 +74,4 @@ } } ] -} \ No newline at end of file +} diff --git a/test/data/repo.test b/test/data/repo.test index b7bc4dca..f39a664b 100644 --- a/test/data/repo.test +++ b/test/data/repo.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:02:50.045151-07:00", "ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactType": "repository", "Metadata": { diff --git a/test/data/tfvars.test b/test/data/tfvars.test index 428b11b3..1eaecaa3 100644 --- a/test/data/tfvars.test +++ b/test/data/tfvars.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:03:02.76948-07:00", "ArtifactName": "test/data", "ArtifactType": "filesystem", "Metadata": { diff --git a/test/data/yamlconfig.test b/test/data/yamlconfig.test index d04683cf..498bb77e 100644 --- a/test/data/yamlconfig.test +++ b/test/data/yamlconfig.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:03:01.877209-07:00", "ArtifactName": "alpine:3.10", "ArtifactType": "container_image", "Metadata": { @@ -76,7 +77,7 @@ "Name": "Alpine Secdb", "URL": "https://secdb.alpinelinux.org/" }, - "Title": "an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", + "Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", "Severity": "CRITICAL", "CweIDs": [ From 5f1841df8d34621a80bd1c6224be425990b2a8f6 Mon Sep 17 00:00:00 2001 From: Martin Kemp Date: Wed, 3 Jan 2024 00:51:04 +0000 Subject: [PATCH 03/21] Update Trivy to 0.48.1 (#291) * Update Trivy to 0.48.1 Signed-off-by: Martin Kemp * update tests --------- Signed-off-by: Martin Kemp Co-authored-by: Simar --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- test/data/config-sarif.test | 4 ++-- test/data/config.test | 2 +- test/data/fs-scheck.test | 2 +- test/data/repo.test | 2 +- test/data/tfvars.test | 2 +- test/data/yamlconfig.test | 6 +++--- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 46e63a86..817eb41e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.48.0 + TRIVY_VERSION: 0.48.1 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index ebbe6bd8..f9fae013 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.48.0 +FROM ghcr.io/aquasecurity/trivy:0.48.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index 5269f310..3189a576 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -307,7 +307,7 @@ } } ], - "version": "0.48.0" + "version": "0.48.1" } }, "results": [ @@ -612,7 +612,7 @@ "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": { - "uri": "file:///Users/simarpreetsingh/repos/trivy-action/" + "uri": "file:///home/runner/work/trivy-action/trivy-action/" } } } diff --git a/test/data/config.test b/test/data/config.test index df498d2a..5a3b830e 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:02:54.295987-07:00", + "CreatedAt": "2024-01-02T23:40:12.036390742Z", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index 30474a40..da0a280f 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:02:56.571535-07:00", + "CreatedAt": "2024-01-02T23:40:15.166517221Z", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { diff --git a/test/data/repo.test b/test/data/repo.test index f39a664b..2c483fdf 100644 --- a/test/data/repo.test +++ b/test/data/repo.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:02:50.045151-07:00", + "CreatedAt": "2024-01-02T23:40:04.647712097Z", "ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactType": "repository", "Metadata": { diff --git a/test/data/tfvars.test b/test/data/tfvars.test index 1eaecaa3..c2d09b88 100644 --- a/test/data/tfvars.test +++ b/test/data/tfvars.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:03:02.76948-07:00", + "CreatedAt": "2024-01-02T16:27:32.841193-07:00", "ArtifactName": "test/data", "ArtifactType": "filesystem", "Metadata": { diff --git a/test/data/yamlconfig.test b/test/data/yamlconfig.test index 498bb77e..0edc4774 100644 --- a/test/data/yamlconfig.test +++ b/test/data/yamlconfig.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:03:01.877209-07:00", + "CreatedAt": "2024-01-02T23:40:21.039454971Z", "ArtifactName": "alpine:3.10", "ArtifactType": "container_image", "Metadata": { @@ -106,8 +106,8 @@ "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", "https://www.cve.org/CVERecord?id=CVE-2021-36159" ], - "PublishedDate": "2021-08-03T14:15:00Z", - "LastModifiedDate": "2023-11-07T03:36:00Z" + "PublishedDate": "2021-08-03T14:15:08.233Z", + "LastModifiedDate": "2023-11-07T03:36:43.337Z" } ] } From d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca Mon Sep 17 00:00:00 2001 From: Lucas Bickel <116588+hairmare@users.noreply.github.com> Date: Wed, 3 Jan 2024 10:53:48 +1000 Subject: [PATCH 04/21] docs: fix typo in README.md (#293) Signed-off-by: Lucas Bickel --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 69cc0c00..4ec967f1 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,7 @@ It is possible to define all options in the `trivy.yaml` file. Specifying indivi - `image-ref`: If using `image` scan. - `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc. -#### Order of prerference for options +#### Order of preference for options Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows: - GitHub Action flag - Environment variable From 0b9d17b6b5fdec04f3d5b5b9c4cd20058c7e4cbf Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Fri, 12 Jan 2024 04:13:21 +0600 Subject: [PATCH 05/21] docs: add configuration info for flags not supported by inputs (#296) * docs: add information about configuration flags not supported by inputs * docs: add env and config file to Customizing --- README.md | 69 ++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 4ec967f1..284d520b 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,8 @@ In this case `trivy.yaml` is a YAML configuration that is checked in as part of format: json exit-code: 1 severity: CRITICAL +secret: + config: config/trivy/secret.yaml ``` It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file: @@ -479,36 +481,49 @@ jobs: ## Customizing +Configuration priority: +- [Inputs](#inputs) +- [Environment variables](#environment-variables) +- [Trivy config file](#trivy-config-file) +- Default values + + ### inputs Following inputs can be used as `step.with` keys: -| Name | Type | Default | Description | -|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------| -| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` | -| `input` | String | | Tar reference, e.g. `alpine-latest.tar` | -| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | -| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | -| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) | -| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | -| `tf-vars` | String | | path to Terraform variables file | -| `output` | String | | Save results to a file | -| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | -| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities | -| `vuln-type` | String | `os,library` | Vulnerability types (os,library) | -| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed | -| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped | -| `skip-files` | String | | Comma separated list of files where traversal is skipped | -| `cache-dir` | String | | Cache directory | -| `timeout` | String | `5m0s` | Scan timeout duration | -| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | -| `hide-progress` | String | `true` | Suppress progress bar | -| `list-all-pkgs` | String | | Output all packages regardless of vulnerability | -| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | -| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | -| `trivy-config` | String | | Path to trivy.yaml config | -| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | -| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | +| Name | Type | Default | Description | +|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` | +| `input` | String | | Tar reference, e.g. `alpine-latest.tar` | +| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | +| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | +| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) | +| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | +| `tf-vars` | String | | path to Terraform variables file | +| `output` | String | | Save results to a file | +| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | +| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities | +| `vuln-type` | String | `os,library` | Vulnerability types (os,library) | +| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed | +| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped | +| `skip-files` | String | | Comma separated list of files where traversal is skipped | +| `cache-dir` | String | | Cache directory | +| `timeout` | String | `5m0s` | Scan timeout duration | +| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | +| `hide-progress` | String | `true` | Suppress progress bar | +| `list-all-pkgs` | String | | Output all packages regardless of vulnerability | +| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | +| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | +| `trivy-config` | String | | Path to trivy.yaml config | +| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | +| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | + +### Environment variables +You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). + +### Trivy config file +When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). [release]: https://github.com/aquasecurity/trivy-action/releases/latest [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github @@ -516,3 +531,5 @@ Following inputs can be used as `step.with` keys: [marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github [license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action +[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables +[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ \ No newline at end of file From f3d98514b056d8c71a3552e8328c225bc7f6f353 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sim=C3=A3o=20Silva?= <37107350+simao-silva@users.noreply.github.com> Date: Sun, 14 Jan 2024 21:28:49 +0000 Subject: [PATCH 06/21] fix: Fix `skip-files` and `hide-progress` options not being applied when using Sarif report format (#297) * Update entrypoint.sh * Update entrypoint.sh * Update entrypoint.sh --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 8d3563db..38832fe1 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -163,6 +163,7 @@ if [ $ignorePolicy ];then fi if [ "$hideProgress" == "true" ];then ARGS="$ARGS --no-progress" + SARIF_ARGS="$SARIF_ARGS --no-progress" fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') @@ -173,6 +174,7 @@ if [ "$skipFiles" ];then for i in $(echo $skipFiles | tr "," "\n") do ARGS="$ARGS --skip-files $i" + SARIF_ARGS="$SARIF_ARGS --skip-files $i" done fi From 84384bd6e777ef152729993b8145ea352e9dd3ef Mon Sep 17 00:00:00 2001 From: Kyle Davies <98526301+kderck@users.noreply.github.com> Date: Tue, 6 Feb 2024 01:54:03 +0000 Subject: [PATCH 07/21] Upgraded Trivy from 0.48.1 to v0.49.0 (#304) --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 817eb41e..16915c2a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.48.1 + TRIVY_VERSION: 0.49.0 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index f9fae013..81d2f323 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.48.1 +FROM ghcr.io/aquasecurity/trivy:0.49.0 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh From 1f6384b6ceecbbc6673526f865b818a2a06b07c9 Mon Sep 17 00:00:00 2001 From: Maxime Durand <72691393+Maxim-Durand@users.noreply.github.com> Date: Tue, 13 Feb 2024 23:20:36 +0100 Subject: [PATCH 08/21] docs(report): improve documentation around `Using Trivy to generate SBOM` and sending it to Github (#307) * Improved documentation with details on how to send output as an artifact on Github and giving an example of a private image scan * formatting * better name for job --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/README.md b/README.md index 284d520b..0d971f68 100644 --- a/README.md +++ b/README.md @@ -337,6 +337,49 @@ jobs: github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT ``` +When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance. + +You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact): + +```yaml +--- +name: Pull Request +on: + push: + branches: + - main + +## GITHUB_TOKEN authentication, add only if you're not going to use a PAT +permissions: + contents: write + +jobs: + build: + name: Checks + runs-on: ubuntu-20.04 + steps: + - name: Scan image in a private registry + uses: aquasecurity/trivy-action@master + with: + image-ref: "private_image_registry/image_name:image_tag" + scan-type: image + format: 'github' + output: 'dependency-results.sbom.json' + github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + severity: "MEDIUM,HIGH,CRITICAL" + scanners: "vuln" + env: + TRIVY_USERNAME: "image_registry_admin_username" + TRIVY_PASSWORD: "image_registry_admin_password" + + - name: Upload trivy report as a Github artifact + uses: actions/upload-artifact@v4 + with: + name: trivy-sbom-report + path: '${{ github.workspace }}/dependency-results.sbom.json' + retention-days: 20 # 90 is the default +``` + ### Using Trivy to scan your private registry It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars. From 062f2592684a31eb3aa050cc61e7ca1451cecd3d Mon Sep 17 00:00:00 2001 From: cococig <84442548+cococig@users.noreply.github.com> Date: Fri, 23 Feb 2024 06:28:04 +0900 Subject: [PATCH 09/21] fix: Refer to scan-ref when scan-type is "sbom" (#314) --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 38832fe1..e6306f18 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -80,7 +80,7 @@ done scanType=$(echo $scanType | tr -d '\r') export artifactRef="${imageRef}" -if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then +if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then artifactRef=$(echo $scanRef | tr -d '\r') fi input=$(echo $input | tr -d '\r') From d710430a6722f083d3b36b8339ff66b32f22ee55 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:22:09 -0600 Subject: [PATCH 10/21] bump trivy version to v0.50.1 (#324) --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 16915c2a..e5bb34f9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.49.0 + TRIVY_VERSION: 0.50.1 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index 81d2f323..5df7c410 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.49.0 +FROM ghcr.io/aquasecurity/trivy:0.50.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh From f72b7e8127f2e443feedad3c314e6fe75e5a8b84 Mon Sep 17 00:00:00 2001 From: uridium Date: Fri, 29 Mar 2024 02:06:30 +0100 Subject: [PATCH 11/21] Make 'hide-progress' input working again (#323) * Make hide-progress input working again * Unify 'hide-progress' default value --- README.md | 10 +++++----- action.yaml | 3 +-- entrypoint.sh | 6 +++--- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 0d971f68..648d08c6 100644 --- a/README.md +++ b/README.md @@ -115,7 +115,7 @@ jobs: run: | docker pull docker save -o vuln-image.tar - + - name: Run Trivy vulnerability scanner in tarball mode uses: aquasecurity/trivy-action@master with: @@ -287,7 +287,7 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'config' - hide-progress: false + hide-progress: true format: 'sarif' output: 'trivy-results.sarif' exit-code: '1' @@ -303,7 +303,7 @@ jobs: ### Using Trivy to generate SBOM It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). -The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). +The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`): @@ -554,7 +554,7 @@ Following inputs can be used as `step.with` keys: | `cache-dir` | String | | Cache directory | | `timeout` | String | `5m0s` | Scan timeout duration | | `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | -| `hide-progress` | String | `true` | Suppress progress bar | +| `hide-progress` | String | `false` | Suppress progress bar and log output | | `list-all-pkgs` | String | | Output all packages regardless of vulnerability | | `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | @@ -575,4 +575,4 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T [license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action [trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables -[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ \ No newline at end of file +[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ diff --git a/action.yaml b/action.yaml index c6f457a5..02bcd34d 100644 --- a/action.yaml +++ b/action.yaml @@ -65,7 +65,7 @@ inputs: required: false default: '' hide-progress: - description: 'hide progress output' + description: 'suppress progress bar and log output' required: false list-all-pkgs: description: 'output all packages regardless of vulnerability' @@ -123,4 +123,3 @@ runs: - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' - \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index e6306f18..0b6f46ce 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -137,7 +137,7 @@ if [ $skipDirs ];then fi if [ $tfVars ] && [ "$scanType" == "config" ];then ARGS="$ARGS --tf-vars $tfVars" -fi +fi if [ $trivyIgnores ];then for f in $(echo $trivyIgnores | tr "," "\n") @@ -162,8 +162,8 @@ if [ $ignorePolicy ];then SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy" fi if [ "$hideProgress" == "true" ];then - ARGS="$ARGS --no-progress" - SARIF_ARGS="$SARIF_ARGS --no-progress" + ARGS="$ARGS --quiet" + SARIF_ARGS="$SARIF_ARGS --quiet" fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') From 0f287db5d30aced70dbc7f7d6bb5c8b919114b4c Mon Sep 17 00:00:00 2001 From: Calin Marina Date: Thu, 4 Apr 2024 00:26:17 +0100 Subject: [PATCH 12/21] feat(image): add `--docker-host` option for GH Action users (#267) * add option to update docker-host via cli parameter * chore: update test results --------- Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> --- action.yaml | 4 ++++ entrypoint.sh | 8 +++++++- test/test.bats | 8 ++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index 02bcd34d..9b494149 100644 --- a/action.yaml +++ b/action.yaml @@ -94,6 +94,9 @@ inputs: limit-severities-for-sarif: description: 'limit severities for SARIF format' required: false + docker-host: + description: 'unix domain socket path to use for docker scanning' + required: false runs: using: 'docker' @@ -123,3 +126,4 @@ runs: - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' + - '-y ${{ inputs.docker-host }}' \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 0b6f46ce..6e8f71fb 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -71,6 +71,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do x) export tfVars=${OPTARG} ;; + y) + export dockerHost=${OPTARG} + ;; z) export limitSeveritiesForSARIF=${OPTARG} ;; @@ -165,6 +168,9 @@ if [ "$hideProgress" == "true" ];then ARGS="$ARGS --quiet" SARIF_ARGS="$SARIF_ARGS --quiet" fi +if [ "$dockerHost" == "true" ];then + ARGS="$ARGS --docker-host $dockerHost" +fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') if [ "$listAllPkgs" == "true" ];then diff --git a/test/test.bats b/test/test.bats index 5301eab1..0d107817 100644 --- a/test/test.bats +++ b/test/test.bats @@ -82,6 +82,14 @@ bats_load_library bats-file assert_files_equal yamlconfig.test ./test/data/yamlconfig.test } +@test "trivy image with custom docker-host" { + # trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3 + run ./entrypoint.sh '-y unix:///var/run/docker.sock' '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL' + run diff image.test ./test/data/image.test + echo "$output" + assert_files_equal image.test ./test/data/image.test +} + @test "trivy config with terraform variables" { # trivy config --format json --severity MEDIUM --output tfvars.test --tf-vars ./test/data/dev.tfvars ./test/data run ./entrypoint.sh "-a config" "-j ./test/data" "-h tfvars.test" "-g MEDIUM" "-x dev.tfvars" "-b json" From 840deb490824e6f5705e41a56fa12089b09ecb51 Mon Sep 17 00:00:00 2001 From: uridium Date: Fri, 5 Apr 2024 06:58:29 +0200 Subject: [PATCH 13/21] Browse scan reports without GitHub Advanced Security license (#328) --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index 648d08c6..e9626f42 100644 --- a/README.md +++ b/README.md @@ -522,6 +522,35 @@ jobs: sarif_file: 'trivy-results.sarif' ``` +### Using Trivy if you don't have code scanning enabled + +It's also possible to browse a scan result in a workflow summary. + +This step is especially useful for private repositories without [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) license. + +```yaml +- name: Run Trivy scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: config + hide-progress: true + output: trivy.txt + +- name: Publish Trivy Output to Summary + run: | + if [[ -s trivy.txt ]]; then + { + echo "### Security Output" + echo "
Click to expand" + echo "" + echo '```terraform' + cat trivy.txt + echo '```' + echo "
" + } >> $GITHUB_STEP_SUMMARY + fi +``` + ## Customizing Configuration priority: From 207cd40078971bb7a078f8504c2061f908569449 Mon Sep 17 00:00:00 2001 From: Lukas Gravley Date: Thu, 4 Apr 2024 23:59:05 -0500 Subject: [PATCH 14/21] Fix docker host bug (#329) * Update entrypoint.sh should be a value not boolean * Update action.yaml add example * Update README.md --- README.md | 1 + action.yaml | 4 ++-- entrypoint.sh | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e9626f42..14476107 100644 --- a/README.md +++ b/README.md @@ -590,6 +590,7 @@ Following inputs can be used as `step.with` keys: | `trivy-config` | String | | Path to trivy.yaml config | | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | +| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values | ### Environment variables You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). diff --git a/action.yaml b/action.yaml index 9b494149..f13a5aac 100644 --- a/action.yaml +++ b/action.yaml @@ -95,7 +95,7 @@ inputs: description: 'limit severities for SARIF format' required: false docker-host: - description: 'unix domain socket path to use for docker scanning' + description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock' required: false runs: @@ -126,4 +126,4 @@ runs: - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' - - '-y ${{ inputs.docker-host }}' \ No newline at end of file + - '-y ${{ inputs.docker-host }}' diff --git a/entrypoint.sh b/entrypoint.sh index 6e8f71fb..79fd708e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -168,7 +168,7 @@ if [ "$hideProgress" == "true" ];then ARGS="$ARGS --quiet" SARIF_ARGS="$SARIF_ARGS --quiet" fi -if [ "$dockerHost" == "true" ];then +if [ $dockerHost ];then ARGS="$ARGS --docker-host $dockerHost" fi From b5f4977b78f81fa3d48865ff0efcc6e279210235 Mon Sep 17 00:00:00 2001 From: Pedro Freitas Date: Tue, 23 Apr 2024 05:07:09 +0100 Subject: [PATCH 15/21] Bump trivy version to v0.50.2 (#341) Co-authored-by: pdefreitas <5927433+pdefreitas@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e5bb34f9..1b24cbe8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.50.1 + TRIVY_VERSION: 0.50.2 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index 5df7c410..5d89ff66 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.50.1 +FROM ghcr.io/aquasecurity/trivy:0.50.2 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh From ee6a4f5af1dbe22ccc11905a61abd2db301d532c Mon Sep 17 00:00:00 2001 From: arairyus Date: Fri, 26 Apr 2024 14:57:46 +0900 Subject: [PATCH 16/21] =?UTF-8?q?fix:=20=F0=9F=90=9B=20allow=20trivy-confi?= =?UTF-8?q?g=20and=20other=20options=20to=20be=20used=20together=20(#338)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 79fd708e..db11f92b 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -195,7 +195,7 @@ if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; the trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef} elif [ $trivyConfig ]; then echo "Running Trivy with trivy.yaml config from: " $trivyConfig - trivy --config $trivyConfig ${scanType} ${artifactRef} + trivy --config $trivyConfig ${scanType} ${ARGS}" ${artifactRef} else echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}" echo "Global options: " "${GLOBAL_ARGS}" From 7088d18dcb87884bc7b5a4000d5517d758e9aa13 Mon Sep 17 00:00:00 2001 From: Simar Date: Fri, 26 Apr 2024 01:13:05 -0600 Subject: [PATCH 17/21] =?UTF-8?q?Revert=20"fix:=20=F0=9F=90=9B=20allow=20t?= =?UTF-8?q?rivy-config=20and=20other=20options=20to=20be=20used=20together?= =?UTF-8?q?=20(#338)"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit ee6a4f5af1dbe22ccc11905a61abd2db301d532c. --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index db11f92b..79fd708e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -195,7 +195,7 @@ if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; the trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef} elif [ $trivyConfig ]; then echo "Running Trivy with trivy.yaml config from: " $trivyConfig - trivy --config $trivyConfig ${scanType} ${ARGS}" ${artifactRef} + trivy --config $trivyConfig ${scanType} ${artifactRef} else echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}" echo "Global options: " "${GLOBAL_ARGS}" From 6f8c23760b7baab9da654a77606e367803441f93 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 7 May 2024 11:18:53 +0600 Subject: [PATCH 18/21] update tests (#334) * update tests * rename trivy images * rename workflow steps --- .github/workflows/build.yaml | 28 - .github/workflows/sync-trivy-checks.yaml | 24 + .github/workflows/sync-trivy-db.yaml | 24 + .github/workflows/sync-trivy-java-db.yaml | 24 + .github/workflows/test.yaml | 29 + test/data/{ => config-sarif-report}/main.tf | 0 test/data/config-sarif-report/report.sarif | 512 +++++++ test/data/config-sarif.test | 620 --------- test/data/config-scan/main.tf | 18 + .../{config.test => config-scan/report.json} | 76 +- test/data/{fs.test => fs-scan/report} | 0 test/data/fs-scheck.test | 695 --------- test/data/github-dep-snapshot/report.gsbom | 1238 +++++++++++++++++ test/data/image-sarif.test | 77 - test/data/{image.test => image-scan/report} | 2 +- test/data/{rootfs.test => rootfs-scan/report} | 0 .../{repo.test => secret-scan/report.json} | 0 .../{ => with-ignore-files}/.trivyignore1 | 0 .../{ => with-ignore-files}/.trivyignore2 | 0 .../report} | 2 +- test/data/{ => with-tf-vars}/dev.tfvars | 0 test/data/with-tf-vars/main.tf | 18 + .../{tfvars.test => with-tf-vars/report.json} | 4 +- .../report.json} | 7 + .../data/{ => with-trivy-yaml-cfg}/trivy.yaml | 2 +- test/test.bats | 146 +- 26 files changed, 1990 insertions(+), 1556 deletions(-) delete mode 100644 .github/workflows/build.yaml create mode 100644 .github/workflows/sync-trivy-checks.yaml create mode 100644 .github/workflows/sync-trivy-db.yaml create mode 100644 .github/workflows/sync-trivy-java-db.yaml create mode 100644 .github/workflows/test.yaml rename test/data/{ => config-sarif-report}/main.tf (100%) create mode 100644 test/data/config-sarif-report/report.sarif delete mode 100644 test/data/config-sarif.test create mode 100644 test/data/config-scan/main.tf rename test/data/{config.test => config-scan/report.json} (90%) rename test/data/{fs.test => fs-scan/report} (100%) delete mode 100644 test/data/fs-scheck.test create mode 100644 test/data/github-dep-snapshot/report.gsbom delete mode 100644 test/data/image-sarif.test rename test/data/{image.test => image-scan/report} (99%) rename test/data/{rootfs.test => rootfs-scan/report} (100%) rename test/data/{repo.test => secret-scan/report.json} (100%) rename test/data/{ => with-ignore-files}/.trivyignore1 (100%) rename test/data/{ => with-ignore-files}/.trivyignore2 (100%) rename test/data/{image-trivyignores.test => with-ignore-files/report} (99%) rename test/data/{ => with-tf-vars}/dev.tfvars (100%) create mode 100644 test/data/with-tf-vars/main.tf rename test/data/{tfvars.test => with-tf-vars/report.json} (86%) rename test/data/{yamlconfig.test => with-trivy-yaml-cfg/report.json} (95%) rename test/data/{ => with-trivy-yaml-cfg}/trivy.yaml (71%) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml deleted file mode 100644 index 1b24cbe8..00000000 --- a/.github/workflows/build.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: "build" -on: [push, pull_request] -env: - TRIVY_VERSION: 0.50.2 - BATS_LIB_PATH: '/usr/lib/' -jobs: - build: - name: build - runs-on: ubuntu-20.04 - steps: - - - name: Setup BATS - uses: mig4/setup-bats@v1 - with: - bats-version: 1.7.0 - - - name: Setup Bats libs - uses: brokenpip3/setup-bats-libs@0.1.0 - - - name: Check out code - uses: actions/checkout@v1 - - - name: Install Trivy - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }} - - - name: Test - run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing . diff --git a/.github/workflows/sync-trivy-checks.yaml b/.github/workflows/sync-trivy-checks.yaml new file mode 100644 index 00000000..266b59ae --- /dev/null +++ b/.github/workflows/sync-trivy-checks.yaml @@ -0,0 +1,24 @@ +name: Sync Trivy Checks + +on: + workflow_dispatch: +env: + IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks-act + REGISTRY: ghcr.io + +jobs: + sync-trivy-checks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Login to GitHub Packages Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Copy Trivy Checks + run: | + oras cp ghcr.io/aquasecurity/trivy-checks:0 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \ No newline at end of file diff --git a/.github/workflows/sync-trivy-db.yaml b/.github/workflows/sync-trivy-db.yaml new file mode 100644 index 00000000..ef16e424 --- /dev/null +++ b/.github/workflows/sync-trivy-db.yaml @@ -0,0 +1,24 @@ +name: Sync Trivy DB + +on: + workflow_dispatch: +env: + IMAGE_NAME: ${{ github.repository_owner }}/trivy-db-act + REGISTRY: ghcr.io + +jobs: + sync-trivy-db: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Login to GitHub Packages Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Copy Trivy DB + run: | + oras cp ghcr.io/aquasecurity/trivy-db:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest diff --git a/.github/workflows/sync-trivy-java-db.yaml b/.github/workflows/sync-trivy-java-db.yaml new file mode 100644 index 00000000..53cabdba --- /dev/null +++ b/.github/workflows/sync-trivy-java-db.yaml @@ -0,0 +1,24 @@ +name: Sync Trivy Java DB + +on: + workflow_dispatch: +env: + IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db-act + REGISTRY: ghcr.io + +jobs: + sync-trivy-db: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Login to GitHub Packages Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Copy Trivy Java DB + run: | + oras cp ghcr.io/aquasecurity/trivy-java-db:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 00000000..7a2b0a49 --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,29 @@ +name: Test + +on: + push: + pull_request: + workflow_dispatch: + +env: + TRIVY_VERSION: 0.50.2 + BATS_LIB_PATH: '/usr/lib/' + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup Bats and bats libs + uses: bats-core/bats-action@2.0.0 + + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }} + trivy --version + + - name: Test + run: | + chmod +x entrypoint.sh + bats -r -T . diff --git a/test/data/main.tf b/test/data/config-sarif-report/main.tf similarity index 100% rename from test/data/main.tf rename to test/data/config-sarif-report/main.tf diff --git a/test/data/config-sarif-report/report.sarif b/test/data/config-sarif-report/report.sarif new file mode 100644 index 00000000..0602e452 --- /dev/null +++ b/test/data/config-sarif-report/report.sarif @@ -0,0 +1,512 @@ +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "fullName": "Trivy Vulnerability Scanner", + "informationUri": "https://github.com/aquasecurity/trivy", + "name": "Trivy", + "rules": [ + { + "id": "AVD-AWS-0086", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should block public ACL" + }, + "fullDescription": { + "text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086", + "help": { + "text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0087", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should block public policy" + }, + "fullDescription": { + "text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087", + "help": { + "text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0088", + "name": "Misconfiguration", + "shortDescription": { + "text": "Unencrypted S3 bucket." + }, + "fullDescription": { + "text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088", + "help": { + "text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0089", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Bucket Logging" + }, + "fullDescription": { + "text": "Ensures S3 bucket logging is enabled for S3 buckets" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089", + "help": { + "text": "Misconfiguration AVD-AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets", + "markdown": "**Misconfiguration AVD-AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "misconfiguration", + "security", + "LOW" + ] + } + }, + { + "id": "AVD-AWS-0090", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Data should be versioned" + }, + "fullDescription": { + "text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090", + "help": { + "text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "misconfiguration", + "security", + "MEDIUM" + ] + } + }, + { + "id": "AVD-AWS-0091", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access Block should Ignore Public Acl" + }, + "fullDescription": { + "text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091", + "help": { + "text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0093", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should restrict public bucket to limit access" + }, + "fullDescription": { + "text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093", + "help": { + "text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0094", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 buckets should each define an aws_s3_bucket_public_access_block" + }, + "fullDescription": { + "text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094", + "help": { + "text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "misconfiguration", + "security", + "LOW" + ] + } + }, + { + "id": "AVD-AWS-0132", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 encryption should use Customer Managed Keys" + }, + "fullDescription": { + "text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132", + "help": { + "text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + } + ], + "version": "0.50.0" + } + }, + "results": [ + { + "ruleId": "AVD-AWS-0086", + "ruleIndex": 0, + "level": "error", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0086\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0087", + "ruleIndex": 1, + "level": "error", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0087\nSeverity: HIGH\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0088", + "ruleIndex": 2, + "level": "error", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0089", + "ruleIndex": 3, + "level": "note", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0090", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 16, + "startColumn": 1, + "endLine": 16, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0091", + "ruleIndex": 5, + "level": "error", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0093", + "ruleIndex": 6, + "level": "error", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0093\nSeverity: HIGH\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0094", + "ruleIndex": 7, + "level": "note", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0094\nSeverity: LOW\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0132", + "ruleIndex": 8, + "level": "error", + "message": { + "text": "Artifact: main.tf\nType: terraform\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "main.tf" + } + } + ] + } + ], + "columnKind": "utf16CodeUnits", + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "file://D:\\projects\\trivy-action\\test\\data\\config-sarif-report/" + } + } + } + ] +} \ No newline at end of file diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test deleted file mode 100644 index 3189a576..00000000 --- a/test/data/config-sarif.test +++ /dev/null @@ -1,620 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "fullName": "Trivy Vulnerability Scanner", - "informationUri": "https://github.com/aquasecurity/trivy", - "name": "Trivy", - "rules": [ - { - "id": "DS002", - "name": "Misconfiguration", - "shortDescription": { - "text": "Image user should not be \u0026#39;root\u0026#39;" - }, - "fullDescription": { - "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/misconfig/ds002", - "help": { - "text": "Misconfiguration DS002\\nType: Dockerfile Security Check\\nSeverity: HIGH\\nCheck: Image user should not be 'root'\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "markdown": "**Misconfiguration DS002**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\\n\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile." - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "DS026", - "name": "Misconfiguration", - "shortDescription": { - "text": "No HEALTHCHECK defined" - }, - "fullDescription": { - "text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://avd.aquasec.com/misconfig/ds026", - "help": { - "text": "Misconfiguration DS026\\nType: Dockerfile Security Check\\nSeverity: LOW\\nCheck: No HEALTHCHECK defined\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "markdown": "**Misconfiguration DS026**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\\n\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." - }, - "properties": { - "precision": "very-high", - "security-severity": "2.0", - "tags": [ - "misconfiguration", - "security", - "LOW" - ] - } - }, - { - "id": "AVD-AWS-0086", - "name": "Misconfiguration", - "shortDescription": { - "text": "S3 Access block should block public ACL" - }, - "fullDescription": { - "text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086", - "help": { - "text": "Misconfiguration AVD-AWS-0086\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public ACL\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", - "markdown": "**Misconfiguration AVD-AWS-0086**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\\n\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "AVD-AWS-0087", - "name": "Misconfiguration", - "shortDescription": { - "text": "S3 Access block should block public policy" - }, - "fullDescription": { - "text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087", - "help": { - "text": "Misconfiguration AVD-AWS-0087\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public policy\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", - "markdown": "**Misconfiguration AVD-AWS-0087**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\\n\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "AVD-AWS-0088", - "name": "Misconfiguration", - "shortDescription": { - "text": "Unencrypted S3 bucket." - }, - "fullDescription": { - "text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088", - "help": { - "text": "Misconfiguration AVD-AWS-0088\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: Unencrypted S3 bucket.\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", - "markdown": "**Misconfiguration AVD-AWS-0088**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\\n\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "AVD-AWS-0089", - "name": "Misconfiguration", - "shortDescription": { - "text": "S3 Bucket Logging" - }, - "fullDescription": { - "text": "Ensures S3 bucket logging is enabled for S3 buckets" - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089", - "help": { - "text": "Misconfiguration AVD-AWS-0089\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 Bucket Logging\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\\nEnsures S3 bucket logging is enabled for S3 buckets", - "markdown": "**Misconfiguration AVD-AWS-0089**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\\n\\nEnsures S3 bucket logging is enabled for S3 buckets" - }, - "properties": { - "precision": "very-high", - "security-severity": "2.0", - "tags": [ - "misconfiguration", - "security", - "LOW" - ] - } - }, - { - "id": "AVD-AWS-0090", - "name": "Misconfiguration", - "shortDescription": { - "text": "S3 Data should be versioned" - }, - "fullDescription": { - "text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" - }, - "defaultConfiguration": { - "level": "warning" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090", - "help": { - "text": "Misconfiguration AVD-AWS-0090\\nType: Terraform Security Check\\nSeverity: MEDIUM\\nCheck: S3 Data should be versioned\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", - "markdown": "**Misconfiguration AVD-AWS-0090**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\\n\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" - }, - "properties": { - "precision": "very-high", - "security-severity": "5.5", - "tags": [ - "misconfiguration", - "security", - "MEDIUM" - ] - } - }, - { - "id": "AVD-AWS-0091", - "name": "Misconfiguration", - "shortDescription": { - "text": "S3 Access Block should Ignore Public Acl" - }, - "fullDescription": { - "text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091", - "help": { - "text": "Misconfiguration AVD-AWS-0091\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access Block should Ignore Public Acl\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", - "markdown": "**Misconfiguration AVD-AWS-0091**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\\n\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "AVD-AWS-0093", - "name": "Misconfiguration", - "shortDescription": { - "text": "S3 Access block should restrict public bucket to limit access" - }, - "fullDescription": { - "text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093", - "help": { - "text": "Misconfiguration AVD-AWS-0093\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should restrict public bucket to limit access\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", - "markdown": "**Misconfiguration AVD-AWS-0093**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\\n\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "AVD-AWS-0094", - "name": "Misconfiguration", - "shortDescription": { - "text": "S3 buckets should each define an aws_s3_bucket_public_access_block" - }, - "fullDescription": { - "text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094", - "help": { - "text": "Misconfiguration AVD-AWS-0094\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", - "markdown": "**Misconfiguration AVD-AWS-0094**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\\n\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." - }, - "properties": { - "precision": "very-high", - "security-severity": "2.0", - "tags": [ - "misconfiguration", - "security", - "LOW" - ] - } - }, - { - "id": "AVD-AWS-0132", - "name": "Misconfiguration", - "shortDescription": { - "text": "S3 encryption should use Customer Managed Keys" - }, - "fullDescription": { - "text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132", - "help": { - "text": "Misconfiguration AVD-AWS-0132\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 encryption should use Customer Managed Keys\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", - "markdown": "**Misconfiguration AVD-AWS-0132**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\\n\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - } - ], - "version": "0.48.1" - } - }, - "results": [ - { - "ruleId": "DS002", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS002\\nSeverity: HIGH\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "Dockerfile", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "message": { - "text": "Dockerfile" - } - } - ] - }, - { - "ruleId": "DS026", - "ruleIndex": 1, - "level": "note", - "message": { - "text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS026\\nSeverity: LOW\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "Dockerfile", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - }, - "message": { - "text": "Dockerfile" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0086", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0086\\nSeverity: HIGH\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 8, - "startColumn": 1, - "endLine": 10, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0087", - "ruleIndex": 3, - "level": "error", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0087\\nSeverity: HIGH\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 8, - "startColumn": 1, - "endLine": 10, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0088", - "ruleIndex": 4, - "level": "error", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0088\\nSeverity: HIGH\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 8, - "startColumn": 1, - "endLine": 10, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0089", - "ruleIndex": 5, - "level": "note", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0089\\nSeverity: LOW\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 8, - "startColumn": 1, - "endLine": 10, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0090", - "ruleIndex": 6, - "level": "warning", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0090\\nSeverity: MEDIUM\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 16, - "startColumn": 1, - "endLine": 16, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0091", - "ruleIndex": 7, - "level": "error", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0091\\nSeverity: HIGH\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 8, - "startColumn": 1, - "endLine": 10, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0093", - "ruleIndex": 8, - "level": "error", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0093\\nSeverity: HIGH\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 8, - "startColumn": 1, - "endLine": 10, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0094", - "ruleIndex": 9, - "level": "note", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0094\\nSeverity: LOW\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 8, - "startColumn": 1, - "endLine": 10, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - }, - { - "ruleId": "AVD-AWS-0132", - "ruleIndex": 10, - "level": "error", - "message": { - "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0132\\nSeverity: HIGH\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "test/data/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 8, - "startColumn": 1, - "endLine": 10, - "endColumn": 1 - } - }, - "message": { - "text": "test/data/main.tf" - } - } - ] - } - ], - "columnKind": "utf16CodeUnits", - "originalUriBaseIds": { - "ROOTPATH": { - "uri": "file:///home/runner/work/trivy-action/trivy-action/" - } - } - } - ] -} \ No newline at end of file diff --git a/test/data/config-scan/main.tf b/test/data/config-scan/main.tf new file mode 100644 index 00000000..85208bb2 --- /dev/null +++ b/test/data/config-scan/main.tf @@ -0,0 +1,18 @@ +# test data for trivy config with terraform variables + +variable "bucket_versioning_enabled" { + type = string + default = "Disabled" +} + +resource "aws_s3_bucket" "bucket" { + bucket = "trivy-action-bucket" +} + +resource "aws_s3_bucket_versioning" "bucket_versioning" { + bucket = aws_s3_bucket.bucket.id + + versioning_configuration { + status = var.bucket_versioning_enabled + } +} \ No newline at end of file diff --git a/test/data/config.test b/test/data/config-scan/report.json similarity index 90% rename from test/data/config.test rename to test/data/config-scan/report.json index 5a3b830e..61c7dc88 100644 --- a/test/data/config.test +++ b/test/data/config-scan/report.json @@ -1,7 +1,7 @@ { "SchemaVersion": 2, - "CreatedAt": "2024-01-02T23:40:12.036390742Z", - "ArtifactName": ".", + "CreatedAt": "2024-04-12T16:53:35.5567541+03:00", + "ArtifactName": "test/data/config-scan", "ArtifactType": "filesystem", "Metadata": { "ImageConfig": { @@ -17,71 +17,7 @@ }, "Results": [ { - "Target": "Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 24, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "test/data", + "Target": ".", "Class": "config", "Type": "terraform", "MisconfSummary": { @@ -91,7 +27,7 @@ } }, { - "Target": "test/data/main.tf", + "Target": "main.tf", "Class": "config", "Type": "terraform", "MisconfSummary": { @@ -436,7 +372,7 @@ "Occurrences": [ { "Resource": "versioning_configuration", - "Filename": "test/data/main.tf", + "Filename": "main.tf", "Location": { "StartLine": 15, "EndLine": 17 @@ -444,7 +380,7 @@ }, { "Resource": "aws_s3_bucket_versioning.bucket_versioning", - "Filename": "test/data/main.tf", + "Filename": "main.tf", "Location": { "StartLine": 12, "EndLine": 18 diff --git a/test/data/fs.test b/test/data/fs-scan/report similarity index 100% rename from test/data/fs.test rename to test/data/fs-scan/report diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test deleted file mode 100644 index da0a280f..00000000 --- a/test/data/fs-scheck.test +++ /dev/null @@ -1,695 +0,0 @@ -{ - "SchemaVersion": 2, - "CreatedAt": "2024-01-02T23:40:15.166517221Z", - "ArtifactName": ".", - "ArtifactType": "filesystem", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, - "Results": [ - { - "Target": "Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 24, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "test/data", - "Class": "config", - "Type": "terraform", - "MisconfSummary": { - "Successes": 2, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "test/data/main.tf", - "Class": "config", - "Type": "terraform", - "MisconfSummary": { - "Successes": 1, - "Failures": 9, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0086", - "AVDID": "AVD-AWS-0086", - "Title": "S3 Access block should block public ACL", - "Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", - "Message": "No public access block so not blocking public acls", - "Query": "data..", - "Resolution": "Enable blocking any PUT calls with a public ACL specified", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", - "https://avd.aquasec.com/misconfig/avd-aws-0086" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0087", - "AVDID": "AVD-AWS-0087", - "Title": "S3 Access block should block public policy", - "Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", - "Message": "No public access block so not blocking public policies", - "Query": "data..", - "Resolution": "Prevent policies that allow public access being PUT", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", - "https://avd.aquasec.com/misconfig/avd-aws-0087" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0088", - "AVDID": "AVD-AWS-0088", - "Title": "Unencrypted S3 bucket.", - "Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", - "Message": "Bucket does not have encryption enabled", - "Query": "data..", - "Resolution": "Configure bucket encryption", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", - "https://avd.aquasec.com/misconfig/avd-aws-0088" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0089", - "AVDID": "AVD-AWS-0089", - "Title": "S3 Bucket Logging", - "Description": "Ensures S3 bucket logging is enabled for S3 buckets", - "Message": "Bucket has logging disabled", - "Namespace": "builtin.aws.s3.aws0089", - "Query": "data.builtin.aws.s3.aws0089.deny", - "Resolution": "Add a logging block to the resource to enable access logging", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html", - "https://avd.aquasec.com/misconfig/avd-aws-0089" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0090", - "AVDID": "AVD-AWS-0090", - "Title": "S3 Data should be versioned", - "Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", - "Message": "Bucket does not have versioning enabled", - "Query": "data..", - "Resolution": "Enable versioning to protect against accidental/malicious removal or modification", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html", - "https://avd.aquasec.com/misconfig/avd-aws-0090" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket_versioning.bucket_versioning", - "Provider": "AWS", - "Service": "s3", - "StartLine": 16, - "EndLine": 16, - "Code": { - "Lines": [ - { - "Number": 12, - "Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " bucket = aws_s3_bucket.bucket.id", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " versioning_configuration {", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "Highlighted": " versioning_configuration {", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " status = var.bucket_versioning_enabled", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled", - "FirstCause": true, - "LastCause": true - }, - { - "Number": 17, - "Content": " }", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "Highlighted": " }", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": "}", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "Highlighted": "}", - "FirstCause": false, - "LastCause": false - } - ] - }, - "Occurrences": [ - { - "Resource": "versioning_configuration", - "Filename": "test/data/main.tf", - "Location": { - "StartLine": 15, - "EndLine": 17 - } - }, - { - "Resource": "aws_s3_bucket_versioning.bucket_versioning", - "Filename": "test/data/main.tf", - "Location": { - "StartLine": 12, - "EndLine": 18 - } - } - ] - } - }, - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0091", - "AVDID": "AVD-AWS-0091", - "Title": "S3 Access Block should Ignore Public Acl", - "Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", - "Message": "No public access block so not ignoring public acls", - "Query": "data..", - "Resolution": "Enable ignoring the application of public ACLs in PUT calls", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", - "https://avd.aquasec.com/misconfig/avd-aws-0091" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0093", - "AVDID": "AVD-AWS-0093", - "Title": "S3 Access block should restrict public bucket to limit access", - "Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", - "Message": "No public access block so not restricting public buckets", - "Query": "data..", - "Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", - "https://avd.aquasec.com/misconfig/avd-aws-0093" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0094", - "AVDID": "AVD-AWS-0094", - "Title": "S3 buckets should each define an aws_s3_bucket_public_access_block", - "Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", - "Message": "Bucket does not have a corresponding public access block.", - "Query": "data..", - "Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", - "https://avd.aquasec.com/misconfig/avd-aws-0094" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Terraform Security Check", - "ID": "AVD-AWS-0132", - "AVDID": "AVD-AWS-0132", - "Title": "S3 encryption should use Customer Managed Keys", - "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", - "Message": "Bucket does not encrypt data with a customer managed key.", - "Query": "data..", - "Resolution": "Enable encryption using customer managed keys", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132", - "References": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", - "https://avd.aquasec.com/misconfig/avd-aws-0132" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Resource": "aws_s3_bucket.bucket", - "Provider": "AWS", - "Service": "s3", - "StartLine": 8, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "resource \"aws_s3_bucket\" \"bucket\" {", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " bucket = \"trivy-action-bucket\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": "}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m}", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - } - ] -} diff --git a/test/data/github-dep-snapshot/report.gsbom b/test/data/github-dep-snapshot/report.gsbom new file mode 100644 index 00000000..355b1eca --- /dev/null +++ b/test/data/github-dep-snapshot/report.gsbom @@ -0,0 +1,1238 @@ +{ + "version": 0, + "detector": { + "name": "trivy", + "version": "0.50.0", + "url": "https://github.com/aquasecurity/trivy" + }, + "metadata": { + "aquasecurity:trivy:RepoDigest": "knqyf263/vuln-image@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9", + "aquasecurity:trivy:RepoTag": "knqyf263/vuln-image:1.2.3" + }, + "job": { + "correlator": "_" + }, + "scanned": "2024-04-12T16:02:51+03:00", + "manifests": { + "knqyf263/vuln-image:1.2.3 (alpine 3.7.1)": { + "name": "alpine", + "resolved": { + ".composer-phpext-rundeps": { + "package_url": "pkg:apk/alpine/.composer-phpext-rundeps@0?arch=noarch\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libsodium@1.0.15-r0", + "musl@1.1.18-r3", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + ".persistent-deps": { + "package_url": "pkg:apk/alpine/.persistent-deps@0?arch=noarch\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "ca-certificates@20171114-r0", + "curl@7.61.0-r0", + "libressl@2.6.5-r0", + "tar@1.29-r1", + "xz@5.2.3-r1" + ], + "scope": "runtime" + }, + ".php-rundeps": { + "package_url": "pkg:apk/alpine/.php-rundeps@0?arch=noarch\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libcurl@7.61.1-r0", + "libedit@20170329.3.1-r3", + "libressl2.6-libcrypto@2.6.5-r0", + "libressl2.6-libssl@2.6.5-r0", + "libsodium@1.0.15-r0", + "libxml2@2.9.7-r0", + "musl@1.1.18-r3", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "alpine-baselayout": { + "package_url": "pkg:apk/alpine/alpine-baselayout@3.0.5-r2?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "busybox@1.27.2-r11", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "alpine-keys": { + "package_url": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "scope": "runtime" + }, + "apk-tools": { + "package_url": "pkg:apk/alpine/apk-tools@2.10.1-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "libressl2.6-libssl@2.6.5-r0", + "musl@1.1.18-r3", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "apr": { + "package_url": "pkg:apk/alpine/apr@1.6.3-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libuuid@2.31-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "apr-util": { + "package_url": "pkg:apk/alpine/apr-util@1.6.1-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "apr@1.6.3-r0", + "expat@2.2.5-r0", + "libressl2.6-libcrypto@2.6.5-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "bash": { + "package_url": "pkg:apk/alpine/bash@4.4.19-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "busybox@1.27.2-r11", + "musl@1.1.18-r3", + "pkgconf@1.3.10-r0", + "readline@7.0.003-r0" + ], + "scope": "runtime" + }, + "busybox": { + "package_url": "pkg:apk/alpine/busybox@1.27.2-r11?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "ca-certificates": { + "package_url": "pkg:apk/alpine/ca-certificates@20171114-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "busybox@1.27.2-r11", + "libressl2.6-libcrypto@2.6.5-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "curl": { + "package_url": "pkg:apk/alpine/curl@7.61.0-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "ca-certificates@20171114-r0", + "libcurl@7.61.1-r0", + "musl@1.1.18-r3", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "db": { + "package_url": "pkg:apk/alpine/db@5.3.28-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "expat": { + "package_url": "pkg:apk/alpine/expat@2.2.5-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "gdbm": { + "package_url": "pkg:apk/alpine/gdbm@1.13-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "git": { + "package_url": "pkg:apk/alpine/git@2.15.2-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "expat@2.2.5-r0", + "libcurl@7.61.1-r0", + "musl@1.1.18-r3", + "pcre2@10.30-r0", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "libbz2": { + "package_url": "pkg:apk/alpine/libbz2@1.0.6-r6?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libc-utils": { + "package_url": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl-utils@1.1.18-r3" + ], + "scope": "runtime" + }, + "libcurl": { + "package_url": "pkg:apk/alpine/libcurl@7.61.1-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "ca-certificates@20171114-r0", + "libressl2.6-libcrypto@2.6.5-r0", + "libressl2.6-libssl@2.6.5-r0", + "libssh2@1.8.0-r2", + "musl@1.1.18-r3", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "libedit": { + "package_url": "pkg:apk/alpine/libedit@20170329.3.1-r3?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3", + "ncurses-libs@6.0_p20171125-r1" + ], + "scope": "runtime" + }, + "libffi": { + "package_url": "pkg:apk/alpine/libffi@3.2.1-r4?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libressl": { + "package_url": "pkg:apk/alpine/libressl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "libressl2.6-libssl@2.6.5-r0", + "libressl2.6-libtls@2.6.5-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libressl2.6-libcrypto": { + "package_url": "pkg:apk/alpine/libressl2.6-libcrypto@2.6.5-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libressl2.6-libssl": { + "package_url": "pkg:apk/alpine/libressl2.6-libssl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libressl2.6-libtls": { + "package_url": "pkg:apk/alpine/libressl2.6-libtls@2.6.5-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "libressl2.6-libssl@2.6.5-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libsasl": { + "package_url": "pkg:apk/alpine/libsasl@2.1.26-r11?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "db@5.3.28-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libsodium": { + "package_url": "pkg:apk/alpine/libsodium@1.0.15-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libssh2": { + "package_url": "pkg:apk/alpine/libssh2@1.8.0-r2?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "musl@1.1.18-r3", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "libuuid": { + "package_url": "pkg:apk/alpine/libuuid@2.31-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "libxml2": { + "package_url": "pkg:apk/alpine/libxml2@2.9.7-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "mercurial": { + "package_url": "pkg:apk/alpine/mercurial@4.5.2-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3", + "python2@2.7.15-r2" + ], + "scope": "runtime" + }, + "musl": { + "package_url": "pkg:apk/alpine/musl@1.1.18-r3?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "scope": "runtime" + }, + "musl-utils": { + "package_url": "pkg:apk/alpine/musl-utils@1.1.18-r3?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3", + "scanelf@1.2.2-r1" + ], + "scope": "runtime" + }, + "ncurses-libs": { + "package_url": "pkg:apk/alpine/ncurses-libs@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3", + "ncurses-terminfo-base@6.0_p20171125-r1", + "ncurses-terminfo@6.0_p20171125-r1" + ], + "scope": "runtime" + }, + "ncurses-terminfo": { + "package_url": "pkg:apk/alpine/ncurses-terminfo@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "ncurses-terminfo-base@6.0_p20171125-r1" + ], + "scope": "runtime" + }, + "ncurses-terminfo-base": { + "package_url": "pkg:apk/alpine/ncurses-terminfo-base@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "scope": "runtime" + }, + "openssh": { + "package_url": "pkg:apk/alpine/openssh@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "musl@1.1.18-r3", + "openssh-client@7.5_p1-r9", + "openssh-server@7.5_p1-r9", + "openssh-sftp-server@7.5_p1-r9" + ], + "scope": "runtime" + }, + "openssh-client": { + "package_url": "pkg:apk/alpine/openssh-client@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "musl@1.1.18-r3", + "openssh-keygen@7.5_p1-r9", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "openssh-keygen": { + "package_url": "pkg:apk/alpine/openssh-keygen@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "openssh-server": { + "package_url": "pkg:apk/alpine/openssh-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libcrypto@2.6.5-r0", + "musl@1.1.18-r3", + "openssh-keygen@7.5_p1-r9", + "openssh-server-common@7.5_p1-r9", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "openssh-server-common": { + "package_url": "pkg:apk/alpine/openssh-server-common@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "scope": "runtime" + }, + "openssh-sftp-server": { + "package_url": "pkg:apk/alpine/openssh-sftp-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "patch": { + "package_url": "pkg:apk/alpine/patch@2.7.5-r2?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "pcre2": { + "package_url": "pkg:apk/alpine/pcre2@10.30-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "pkgconf": { + "package_url": "pkg:apk/alpine/pkgconf@1.3.10-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "python2": { + "package_url": "pkg:apk/alpine/python2@2.7.15-r2?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "expat@2.2.5-r0", + "gdbm@1.13-r1", + "libbz2@1.0.6-r6", + "libffi@3.2.1-r4", + "libressl2.6-libcrypto@2.6.5-r0", + "libressl2.6-libssl@2.6.5-r0", + "musl@1.1.18-r3", + "ncurses-libs@6.0_p20171125-r1", + "readline@7.0.003-r0", + "sqlite-libs@3.21.0-r1", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "readline": { + "package_url": "pkg:apk/alpine/readline@7.0.003-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3", + "ncurses-libs@6.0_p20171125-r1" + ], + "scope": "runtime" + }, + "scanelf": { + "package_url": "pkg:apk/alpine/scanelf@1.2.2-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "serf": { + "package_url": "pkg:apk/alpine/serf@1.3.9-r3?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "apr-util@1.6.1-r1", + "apr@1.6.3-r0", + "libressl2.6-libcrypto@2.6.5-r0", + "libressl2.6-libssl@2.6.5-r0", + "musl@1.1.18-r3", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "sqlite-libs": { + "package_url": "pkg:apk/alpine/sqlite-libs@3.21.0-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "ssl_client": { + "package_url": "pkg:apk/alpine/ssl_client@1.27.2-r11?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "libressl2.6-libtls@2.6.5-r0", + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "subversion": { + "package_url": "pkg:apk/alpine/subversion@1.9.7-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "apr-util@1.6.1-r1", + "apr@1.6.3-r0", + "busybox@1.27.2-r11", + "libsasl@2.1.26-r11", + "musl@1.1.18-r3", + "subversion-libs@1.9.7-r0" + ], + "scope": "runtime" + }, + "subversion-libs": { + "package_url": "pkg:apk/alpine/subversion-libs@1.9.7-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "apr-util@1.6.1-r1", + "apr@1.6.3-r0", + "db@5.3.28-r0", + "expat@2.2.5-r0", + "libsasl@2.1.26-r11", + "musl@1.1.18-r3", + "serf@1.3.9-r3", + "sqlite-libs@3.21.0-r1", + "zlib@1.2.11-r1" + ], + "scope": "runtime" + }, + "tar": { + "package_url": "pkg:apk/alpine/tar@1.29-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "tini": { + "package_url": "pkg:apk/alpine/tini@0.16.1-r0?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "xz": { + "package_url": "pkg:apk/alpine/xz@5.2.3-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3", + "xz-libs@5.2.3-r1" + ], + "scope": "runtime" + }, + "xz-libs": { + "package_url": "pkg:apk/alpine/xz-libs@5.2.3-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + }, + "zlib": { + "package_url": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64\u0026distro=3.7.1", + "relationship": "direct", + "dependencies": [ + "musl@1.1.18-r3" + ], + "scope": "runtime" + } + } + }, + "php-app/composer.lock": { + "name": "composer", + "file": { + "source_location": "knqyf263/vuln-image:1.2.3@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9" + }, + "resolved": { + "guzzlehttp/guzzle": { + "package_url": "pkg:composer/guzzlehttp/guzzle@6.2.0", + "relationship": "direct", + "dependencies": [ + "guzzlehttp/promises@v1.3.1", + "guzzlehttp/psr7@1.5.2" + ], + "scope": "runtime" + }, + "guzzlehttp/promises": { + "package_url": "pkg:composer/guzzlehttp/promises@v1.3.1", + "relationship": "direct", + "scope": "runtime" + }, + "guzzlehttp/psr7": { + "package_url": "pkg:composer/guzzlehttp/psr7@1.5.2", + "relationship": "direct", + "dependencies": [ + "psr/http-message@1.0.1", + "ralouphie/getallheaders@2.0.5" + ], + "scope": "runtime" + }, + "laravel/installer": { + "package_url": "pkg:composer/laravel/installer@v2.0.1", + "relationship": "direct", + "dependencies": [ + "guzzlehttp/guzzle@6.2.0", + "symfony/console@v4.2.7", + "symfony/filesystem@v4.2.7", + "symfony/process@v4.2.7" + ], + "scope": "runtime" + }, + "pear/log": { + "package_url": "pkg:composer/pear/log@1.13.1", + "relationship": "direct", + "dependencies": [ + "pear/pear_exception@v1.0.0" + ], + "scope": "runtime" + }, + "pear/pear_exception": { + "package_url": "pkg:composer/pear/pear_exception@v1.0.0", + "relationship": "direct", + "scope": "runtime" + }, + "psr/http-message": { + "package_url": "pkg:composer/psr/http-message@1.0.1", + "relationship": "direct", + "scope": "runtime" + }, + "ralouphie/getallheaders": { + "package_url": "pkg:composer/ralouphie/getallheaders@2.0.5", + "relationship": "direct", + "scope": "runtime" + }, + "symfony/console": { + "package_url": "pkg:composer/symfony/console@v4.2.7", + "relationship": "direct", + "dependencies": [ + "symfony/contracts@v1.0.2", + "symfony/polyfill-mbstring@v1.11.0" + ], + "scope": "runtime" + }, + "symfony/contracts": { + "package_url": "pkg:composer/symfony/contracts@v1.0.2", + "relationship": "direct", + "scope": "runtime" + }, + "symfony/filesystem": { + "package_url": "pkg:composer/symfony/filesystem@v4.2.7", + "relationship": "direct", + "dependencies": [ + "symfony/polyfill-ctype@v1.11.0" + ], + "scope": "runtime" + }, + "symfony/polyfill-ctype": { + "package_url": "pkg:composer/symfony/polyfill-ctype@v1.11.0", + "relationship": "direct", + "scope": "runtime" + }, + "symfony/polyfill-mbstring": { + "package_url": "pkg:composer/symfony/polyfill-mbstring@v1.11.0", + "relationship": "direct", + "scope": "runtime" + }, + "symfony/process": { + "package_url": "pkg:composer/symfony/process@v4.2.7", + "relationship": "direct", + "scope": "runtime" + } + } + }, + "rust-app/Cargo.lock": { + "name": "cargo", + "file": { + "source_location": "knqyf263/vuln-image:1.2.3@sha256:1e8b199249d6d0ef3419ddc6eda2348d9fbdb10d350d3bb70aa98e87faa227c9" + }, + "resolved": { + "ammonia": { + "package_url": "pkg:cargo/ammonia@1.9.0", + "relationship": "direct", + "dependencies": [ + "html5ever@0.23.0", + "lazy_static@1.3.0", + "maplit@1.0.1", + "matches@0.1.8", + "tendril@0.4.1", + "url@1.7.2" + ], + "scope": "runtime" + }, + "autocfg": { + "package_url": "pkg:cargo/autocfg@0.1.2", + "relationship": "direct", + "scope": "runtime" + }, + "bitflags": { + "package_url": "pkg:cargo/bitflags@1.0.4", + "relationship": "direct", + "scope": "runtime" + }, + "cfg-if": { + "package_url": "pkg:cargo/cfg-if@0.1.7", + "relationship": "direct", + "scope": "runtime" + }, + "cloudabi": { + "package_url": "pkg:cargo/cloudabi@0.0.3", + "relationship": "direct", + "dependencies": [ + "bitflags@1.0.4" + ], + "scope": "runtime" + }, + "fuchsia-cprng": { + "package_url": "pkg:cargo/fuchsia-cprng@0.1.1", + "relationship": "direct", + "scope": "runtime" + }, + "futf": { + "package_url": "pkg:cargo/futf@0.1.4", + "relationship": "direct", + "dependencies": [ + "mac@0.1.1", + "new_debug_unreachable@1.0.3" + ], + "scope": "runtime" + }, + "gdi32-sys": { + "package_url": "pkg:cargo/gdi32-sys@0.2.0", + "relationship": "direct", + "dependencies": [ + "winapi-build@0.1.1", + "winapi@0.2.8" + ], + "scope": "runtime" + }, + "html5ever": { + "package_url": "pkg:cargo/html5ever@0.23.0", + "relationship": "direct", + "dependencies": [ + "log@0.4.6", + "mac@0.1.1", + "markup5ever@0.8.1", + "proc-macro2@0.4.30", + "quote@0.6.12", + "syn@0.15.34" + ], + "scope": "runtime" + }, + "idna": { + "package_url": "pkg:cargo/idna@0.1.5", + "relationship": "direct", + "dependencies": [ + "matches@0.1.8", + "unicode-bidi@0.3.4", + "unicode-normalization@0.1.8" + ], + "scope": "runtime" + }, + "itoa": { + "package_url": "pkg:cargo/itoa@0.4.4", + "relationship": "direct", + "scope": "runtime" + }, + "kernel32-sys": { + "package_url": "pkg:cargo/kernel32-sys@0.2.2", + "relationship": "direct", + "dependencies": [ + "winapi-build@0.1.1", + "winapi@0.2.8" + ], + "scope": "runtime" + }, + "lazy_static": { + "package_url": "pkg:cargo/lazy_static@1.3.0", + "relationship": "direct", + "scope": "runtime" + }, + "libc": { + "package_url": "pkg:cargo/libc@0.2.54", + "relationship": "direct", + "scope": "runtime" + }, + "libressl-pnacl-sys": { + "package_url": "pkg:cargo/libressl-pnacl-sys@2.1.6", + "relationship": "direct", + "dependencies": [ + "pnacl-build-helper@1.4.11" + ], + "scope": "runtime" + }, + "log": { + "package_url": "pkg:cargo/log@0.4.6", + "relationship": "direct", + "dependencies": [ + "cfg-if@0.1.7" + ], + "scope": "runtime" + }, + "mac": { + "package_url": "pkg:cargo/mac@0.1.1", + "relationship": "direct", + "scope": "runtime" + }, + "maplit": { + "package_url": "pkg:cargo/maplit@1.0.1", + "relationship": "direct", + "scope": "runtime" + }, + "markup5ever": { + "package_url": "pkg:cargo/markup5ever@0.8.1", + "relationship": "direct", + "dependencies": [ + "log@0.4.6", + "phf@0.7.24", + "phf_codegen@0.7.24", + "serde@1.0.91", + "serde_derive@1.0.91", + "serde_json@1.0.39", + "string_cache@0.7.3", + "string_cache_codegen@0.4.2", + "tendril@0.4.1" + ], + "scope": "runtime" + }, + "matches": { + "package_url": "pkg:cargo/matches@0.1.8", + "relationship": "direct", + "scope": "runtime" + }, + "new_debug_unreachable": { + "package_url": "pkg:cargo/new_debug_unreachable@1.0.3", + "relationship": "direct", + "scope": "runtime" + }, + "normal": { + "package_url": "pkg:cargo/normal@0.1.0", + "relationship": "direct", + "dependencies": [ + "ammonia@2.0.0", + "libc@0.2.54", + "openssl@0.8.3" + ], + "scope": "runtime" + }, + "openssl": { + "package_url": "pkg:cargo/openssl@0.8.3", + "relationship": "direct", + "dependencies": [ + "bitflags@0.7.0", + "lazy_static@0.2.11", + "libc@0.2.54", + "openssl-sys@0.7.17" + ], + "scope": "runtime" + }, + "openssl-sys": { + "package_url": "pkg:cargo/openssl-sys@0.7.17", + "relationship": "direct", + "dependencies": [ + "gdi32-sys@0.2.0", + "libc@0.2.54", + "libressl-pnacl-sys@2.1.6", + "pkg-config@0.3.14", + "user32-sys@0.2.0" + ], + "scope": "runtime" + }, + "percent-encoding": { + "package_url": "pkg:cargo/percent-encoding@1.0.1", + "relationship": "direct", + "scope": "runtime" + }, + "phf": { + "package_url": "pkg:cargo/phf@0.7.24", + "relationship": "direct", + "dependencies": [ + "phf_shared@0.7.24" + ], + "scope": "runtime" + }, + "phf_codegen": { + "package_url": "pkg:cargo/phf_codegen@0.7.24", + "relationship": "direct", + "dependencies": [ + "phf_generator@0.7.24", + "phf_shared@0.7.24" + ], + "scope": "runtime" + }, + "phf_generator": { + "package_url": "pkg:cargo/phf_generator@0.7.24", + "relationship": "direct", + "dependencies": [ + "phf_shared@0.7.24", + "rand@0.6.5" + ], + "scope": "runtime" + }, + "phf_shared": { + "package_url": "pkg:cargo/phf_shared@0.7.24", + "relationship": "direct", + "dependencies": [ + "siphasher@0.2.3" + ], + "scope": "runtime" + }, + "pkg-config": { + "package_url": "pkg:cargo/pkg-config@0.3.14", + "relationship": "direct", + "scope": "runtime" + }, + "pnacl-build-helper": { + "package_url": "pkg:cargo/pnacl-build-helper@1.4.11", + "relationship": "direct", + "dependencies": [ + "tempdir@0.3.7", + "walkdir@1.0.7" + ], + "scope": "runtime" + }, + "precomputed-hash": { + "package_url": "pkg:cargo/precomputed-hash@0.1.1", + "relationship": "direct", + "scope": "runtime" + }, + "proc-macro2": { + "package_url": "pkg:cargo/proc-macro2@0.4.30", + "relationship": "direct", + "dependencies": [ + "unicode-xid@0.1.0" + ], + "scope": "runtime" + }, + "quote": { + "package_url": "pkg:cargo/quote@0.6.12", + "relationship": "direct", + "dependencies": [ + "proc-macro2@0.4.30" + ], + "scope": "runtime" + }, + "rand": { + "package_url": "pkg:cargo/rand@0.6.5", + "relationship": "direct", + "dependencies": [ + "autocfg@0.1.2", + "libc@0.2.54", + "rand_chacha@0.1.1", + "rand_core@0.4.0", + "rand_hc@0.1.0", + "rand_isaac@0.1.1", + "rand_jitter@0.1.4", + "rand_os@0.1.3", + "rand_pcg@0.1.2", + "rand_xorshift@0.1.1", + "winapi@0.3.7" + ], + "scope": "runtime" + }, + "rand_chacha": { + "package_url": "pkg:cargo/rand_chacha@0.1.1", + "relationship": "direct", + "dependencies": [ + "autocfg@0.1.2", + "rand_core@0.3.1" + ], + "scope": "runtime" + }, + "rand_core": { + "package_url": "pkg:cargo/rand_core@0.4.0", + "relationship": "direct", + "scope": "runtime" + }, + "rand_hc": { + "package_url": "pkg:cargo/rand_hc@0.1.0", + "relationship": "direct", + "dependencies": [ + "rand_core@0.3.1" + ], + "scope": "runtime" + }, + "rand_isaac": { + "package_url": "pkg:cargo/rand_isaac@0.1.1", + "relationship": "direct", + "dependencies": [ + "rand_core@0.3.1" + ], + "scope": "runtime" + }, + "rand_jitter": { + "package_url": "pkg:cargo/rand_jitter@0.1.4", + "relationship": "direct", + "dependencies": [ + "libc@0.2.54", + "rand_core@0.4.0", + "winapi@0.3.7" + ], + "scope": "runtime" + }, + "rand_os": { + "package_url": "pkg:cargo/rand_os@0.1.3", + "relationship": "direct", + "dependencies": [ + "cloudabi@0.0.3", + "fuchsia-cprng@0.1.1", + "libc@0.2.54", + "rand_core@0.4.0", + "rdrand@0.4.0", + "winapi@0.3.7" + ], + "scope": "runtime" + }, + "rand_pcg": { + "package_url": "pkg:cargo/rand_pcg@0.1.2", + "relationship": "direct", + "dependencies": [ + "autocfg@0.1.2", + "rand_core@0.4.0" + ], + "scope": "runtime" + }, + "rand_xorshift": { + "package_url": "pkg:cargo/rand_xorshift@0.1.1", + "relationship": "direct", + "dependencies": [ + "rand_core@0.3.1" + ], + "scope": "runtime" + }, + "rdrand": { + "package_url": "pkg:cargo/rdrand@0.4.0", + "relationship": "direct", + "dependencies": [ + "rand_core@0.3.1" + ], + "scope": "runtime" + }, + "remove_dir_all": { + "package_url": "pkg:cargo/remove_dir_all@0.5.1", + "relationship": "direct", + "dependencies": [ + "winapi@0.3.7" + ], + "scope": "runtime" + }, + "ryu": { + "package_url": "pkg:cargo/ryu@0.2.8", + "relationship": "direct", + "scope": "runtime" + }, + "same-file": { + "package_url": "pkg:cargo/same-file@0.1.3", + "relationship": "direct", + "dependencies": [ + "kernel32-sys@0.2.2", + "winapi@0.2.8" + ], + "scope": "runtime" + }, + "serde": { + "package_url": "pkg:cargo/serde@1.0.91", + "relationship": "direct", + "scope": "runtime" + }, + "serde_derive": { + "package_url": "pkg:cargo/serde_derive@1.0.91", + "relationship": "direct", + "dependencies": [ + "proc-macro2@0.4.30", + "quote@0.6.12", + "syn@0.15.34" + ], + "scope": "runtime" + }, + "serde_json": { + "package_url": "pkg:cargo/serde_json@1.0.39", + "relationship": "direct", + "dependencies": [ + "itoa@0.4.4", + "ryu@0.2.8", + "serde@1.0.91" + ], + "scope": "runtime" + }, + "siphasher": { + "package_url": "pkg:cargo/siphasher@0.2.3", + "relationship": "direct", + "scope": "runtime" + }, + "smallvec": { + "package_url": "pkg:cargo/smallvec@0.6.9", + "relationship": "direct", + "scope": "runtime" + }, + "string_cache": { + "package_url": "pkg:cargo/string_cache@0.7.3", + "relationship": "direct", + "dependencies": [ + "lazy_static@1.3.0", + "new_debug_unreachable@1.0.3", + "phf_shared@0.7.24", + "precomputed-hash@0.1.1", + "serde@1.0.91", + "string_cache_codegen@0.4.2", + "string_cache_shared@0.3.0" + ], + "scope": "runtime" + }, + "string_cache_codegen": { + "package_url": "pkg:cargo/string_cache_codegen@0.4.2", + "relationship": "direct", + "dependencies": [ + "phf_generator@0.7.24", + "phf_shared@0.7.24", + "proc-macro2@0.4.30", + "quote@0.6.12", + "string_cache_shared@0.3.0" + ], + "scope": "runtime" + }, + "string_cache_shared": { + "package_url": "pkg:cargo/string_cache_shared@0.3.0", + "relationship": "direct", + "scope": "runtime" + }, + "syn": { + "package_url": "pkg:cargo/syn@0.15.34", + "relationship": "direct", + "dependencies": [ + "proc-macro2@0.4.30", + "quote@0.6.12", + "unicode-xid@0.1.0" + ], + "scope": "runtime" + }, + "tempdir": { + "package_url": "pkg:cargo/tempdir@0.3.7", + "relationship": "direct", + "dependencies": [ + "rand@0.4.6", + "remove_dir_all@0.5.1" + ], + "scope": "runtime" + }, + "tendril": { + "package_url": "pkg:cargo/tendril@0.4.1", + "relationship": "direct", + "dependencies": [ + "futf@0.1.4", + "mac@0.1.1", + "utf-8@0.7.5" + ], + "scope": "runtime" + }, + "unicode-bidi": { + "package_url": "pkg:cargo/unicode-bidi@0.3.4", + "relationship": "direct", + "dependencies": [ + "matches@0.1.8" + ], + "scope": "runtime" + }, + "unicode-normalization": { + "package_url": "pkg:cargo/unicode-normalization@0.1.8", + "relationship": "direct", + "dependencies": [ + "smallvec@0.6.9" + ], + "scope": "runtime" + }, + "unicode-xid": { + "package_url": "pkg:cargo/unicode-xid@0.1.0", + "relationship": "direct", + "scope": "runtime" + }, + "url": { + "package_url": "pkg:cargo/url@1.7.2", + "relationship": "direct", + "dependencies": [ + "idna@0.1.5", + "matches@0.1.8", + "percent-encoding@1.0.1" + ], + "scope": "runtime" + }, + "user32-sys": { + "package_url": "pkg:cargo/user32-sys@0.2.0", + "relationship": "direct", + "dependencies": [ + "winapi-build@0.1.1", + "winapi@0.2.8" + ], + "scope": "runtime" + }, + "utf-8": { + "package_url": "pkg:cargo/utf-8@0.7.5", + "relationship": "direct", + "scope": "runtime" + }, + "walkdir": { + "package_url": "pkg:cargo/walkdir@1.0.7", + "relationship": "direct", + "dependencies": [ + "kernel32-sys@0.2.2", + "same-file@0.1.3", + "winapi@0.2.8" + ], + "scope": "runtime" + }, + "winapi": { + "package_url": "pkg:cargo/winapi@0.3.7", + "relationship": "direct", + "dependencies": [ + "winapi-i686-pc-windows-gnu@0.4.0", + "winapi-x86_64-pc-windows-gnu@0.4.0" + ], + "scope": "runtime" + }, + "winapi-build": { + "package_url": "pkg:cargo/winapi-build@0.1.1", + "relationship": "direct", + "scope": "runtime" + }, + "winapi-i686-pc-windows-gnu": { + "package_url": "pkg:cargo/winapi-i686-pc-windows-gnu@0.4.0", + "relationship": "direct", + "scope": "runtime" + }, + "winapi-x86_64-pc-windows-gnu": { + "package_url": "pkg:cargo/winapi-x86_64-pc-windows-gnu@0.4.0", + "relationship": "direct", + "scope": "runtime" + } + } + } + } +} \ No newline at end of file diff --git a/test/data/image-sarif.test b/test/data/image-sarif.test deleted file mode 100644 index c6295c9d..00000000 --- a/test/data/image-sarif.test +++ /dev/null @@ -1,77 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "fullName": "Trivy Vulnerability Scanner", - "informationUri": "https://github.com/aquasecurity/trivy", - "name": "Trivy", - "rules": [ - { - "id": "CVE-2021-36159", - "name": "OsPackageVulnerability", - "shortDescription": { - "text": "CVE-2021-36159" - }, - "fullDescription": { - "text": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the \u0026#39;\\0\u0026#39; terminator one byte too late." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/nvd/cve-2021-36159", - "help": { - "text": "Vulnerability CVE-2021-36159\nSeverity: CRITICAL\nPackage: apk-tools\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", - "markdown": "**Vulnerability CVE-2021-36159**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|apk-tools|2.10.7-r0|[CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)|\n\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late." - }, - "properties": { - "precision": "very-high", - "security-severity": "9.1", - "tags": [ - "vulnerability", - "security", - "CRITICAL" - ] - } - } - ], - "version": "0.43.1" - } - }, - "results": [ - { - "ruleId": "CVE-2021-36159", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Package: apk-tools\nInstalled Version: 2.10.6-r0\nVulnerability CVE-2021-36159\nSeverity: CRITICAL\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "library/alpine", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 1 - } - } - } - ] - } - ], - "columnKind": "utf16CodeUnits", - "originalUriBaseIds": { - "ROOTPATH": { - "uri": "file:///" - } - } - } - ] -} diff --git a/test/data/image.test b/test/data/image-scan/report similarity index 99% rename from test/data/image.test rename to test/data/image-scan/report index d954ed1b..6e930cd7 100644 --- a/test/data/image.test +++ b/test/data/image-scan/report @@ -30,7 +30,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │ +│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │ diff --git a/test/data/rootfs.test b/test/data/rootfs-scan/report similarity index 100% rename from test/data/rootfs.test rename to test/data/rootfs-scan/report diff --git a/test/data/repo.test b/test/data/secret-scan/report.json similarity index 100% rename from test/data/repo.test rename to test/data/secret-scan/report.json diff --git a/test/data/.trivyignore1 b/test/data/with-ignore-files/.trivyignore1 similarity index 100% rename from test/data/.trivyignore1 rename to test/data/with-ignore-files/.trivyignore1 diff --git a/test/data/.trivyignore2 b/test/data/with-ignore-files/.trivyignore2 similarity index 100% rename from test/data/.trivyignore2 rename to test/data/with-ignore-files/.trivyignore2 diff --git a/test/data/image-trivyignores.test b/test/data/with-ignore-files/report similarity index 99% rename from test/data/image-trivyignores.test rename to test/data/with-ignore-files/report index aa3d4aee..8b262553 100644 --- a/test/data/image-trivyignores.test +++ b/test/data/with-ignore-files/report @@ -30,7 +30,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │ +│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │ diff --git a/test/data/dev.tfvars b/test/data/with-tf-vars/dev.tfvars similarity index 100% rename from test/data/dev.tfvars rename to test/data/with-tf-vars/dev.tfvars diff --git a/test/data/with-tf-vars/main.tf b/test/data/with-tf-vars/main.tf new file mode 100644 index 00000000..85208bb2 --- /dev/null +++ b/test/data/with-tf-vars/main.tf @@ -0,0 +1,18 @@ +# test data for trivy config with terraform variables + +variable "bucket_versioning_enabled" { + type = string + default = "Disabled" +} + +resource "aws_s3_bucket" "bucket" { + bucket = "trivy-action-bucket" +} + +resource "aws_s3_bucket_versioning" "bucket_versioning" { + bucket = aws_s3_bucket.bucket.id + + versioning_configuration { + status = var.bucket_versioning_enabled + } +} \ No newline at end of file diff --git a/test/data/tfvars.test b/test/data/with-tf-vars/report.json similarity index 86% rename from test/data/tfvars.test rename to test/data/with-tf-vars/report.json index c2d09b88..562b065f 100644 --- a/test/data/tfvars.test +++ b/test/data/with-tf-vars/report.json @@ -1,7 +1,7 @@ { "SchemaVersion": 2, - "CreatedAt": "2024-01-02T16:27:32.841193-07:00", - "ArtifactName": "test/data", + "CreatedAt": "2024-04-12T14:09:09.5680191+03:00", + "ArtifactName": "test/data/with-tf-vars/main.tf", "ArtifactType": "filesystem", "Metadata": { "ImageConfig": { diff --git a/test/data/yamlconfig.test b/test/data/with-trivy-yaml-cfg/report.json similarity index 95% rename from test/data/yamlconfig.test rename to test/data/with-trivy-yaml-cfg/report.json index 0edc4774..b5e94ad5 100644 --- a/test/data/yamlconfig.test +++ b/test/data/with-trivy-yaml-cfg/report.json @@ -63,6 +63,9 @@ "VulnerabilityID": "CVE-2021-36159", "PkgID": "apk-tools@2.10.6-r0", "PkgName": "apk-tools", + "PkgIdentifier": { + "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9" + }, "InstalledVersion": "2.10.6-r0", "FixedVersion": "2.10.7-r0", "Status": "fixed", @@ -83,6 +86,10 @@ "CweIDs": [ "CWE-125" ], + "VendorSeverity": { + "nvd": 4, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", diff --git a/test/data/trivy.yaml b/test/data/with-trivy-yaml-cfg/trivy.yaml similarity index 71% rename from test/data/trivy.yaml rename to test/data/with-trivy-yaml-cfg/trivy.yaml index f2b0201c..33fdd4e6 100644 --- a/test/data/trivy.yaml +++ b/test/data/with-trivy-yaml-cfg/trivy.yaml @@ -2,4 +2,4 @@ format: json severity: CRITICAL vulnerability: type: os -output: yamlconfig.test \ No newline at end of file +output: yamlconfig.json \ No newline at end of file diff --git a/test/test.bats b/test/test.bats index 0d107817..1e0f3ceb 100644 --- a/test/test.bats +++ b/test/test.bats @@ -1,99 +1,123 @@ #!/usr/bin/env bats -bats_load_library bats-support -bats_load_library bats-assert -bats_load_library bats-file -@test "trivy repo with securityCheck secret only" { - # trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/ - run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/' - run diff repo.test ./test/data/repo.test +setup_file() { + local owner=$GITHUB_REPOSITORY_OWNER + export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest + export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest + export TRIVY_POLICY_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest +} + +setup() { + bats_load_library bats-support + bats_load_library bats-assert + bats_load_library bats-file +} + +function remove_json_fields() { + local file="$1" + if [[ "$file" == *.json ]]; then + jq 'del(.CreatedAt)' "$file" > tmp && mv tmp "$file" + fi +} + +function remove_sarif_fields() { + local file="$1" + if [[ "$file" == *.sarif ]]; then + jq 'del(.runs[].tool.driver.version) | del(.runs[].originalUriBaseIds)' "$file" > tmp && mv tmp "$file" + fi +} + +function remove_github_fields() { + local file="$1" + if [[ "$file" == *.gsbom ]]; then + jq 'del(.detector.version) | del(.scanned) | del(.job) | del(.ref) | del(.sha)' "$file" > tmp && mv tmp "$file" + fi +} + +function compare_files() { + local file1="$1" + local file2="$2" + + # Some fields should be removed as they are environment dependent + # and may cause undesirable results when comparing files. + remove_json_fields "$file1" + remove_json_fields "$file2" + + remove_sarif_fields "$file1" + remove_sarif_fields "$file2" + + remove_github_fields "$file1" + remove_github_fields "$file2" + + run diff "$file1" "$file2" echo "$output" - assert_files_equal repo.test ./test/data/repo.test + assert_files_equal "$file1" "$file2" +} + +@test "trivy repo with securityCheck secret only" { + # trivy repo -f json -o repo.test --scanners=secret https://github.com/krol3/demo-trivy/ + run ./entrypoint.sh '-b json' '-h repo.json' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/' + compare_files repo.json ./test/data/secret-scan/report.json } @test "trivy image" { - # trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3 + # trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3 run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL' - run diff image.test ./test/data/image.test - echo "$output" - assert_files_equal image.test ./test/data/image.test + compare_files image.test ./test/data/image-scan/report } @test "trivy config sarif report" { - # trivy config --format sarif --output config-sarif.test . - run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .' - run diff config-sarif.test ./test/data/config-sarif.test - echo "$output" - assert_files_equal config-sarif.test ./test/data/config-sarif.test + # trivy config -f sarif -o config-sarif.test ./test/data/config-sarif-report + run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.sarif' '-j ./test/data/config-sarif-report/main.tf' + compare_files config-sarif.sarif ./test/data/config-sarif-report/report.sarif } @test "trivy config" { - # trivy config --format json --output config.test . - run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test' - run diff config.test ./test/data/config.test - echo "$output" - assert_files_equal config.test ./test/data/config.test + # trivy config -f json -o config.json ./test/data/config-scan + run ./entrypoint.sh '-a config' '-b json' '-j ./test/data/config-scan' '-h config.json' + compare_files config.json ./test/data/config-scan/report.json } @test "trivy rootfs" { - # trivy rootfs --output rootfs.test . - run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test' - run diff rootfs.test ./test/data/rootfs.test - echo "$output" - assert_files_equal rootfs.test ./test/data/rootfs.test + # trivy rootfs --output rootfs.test ./test/data/rootfs-scan + # TODO: add data + run ./entrypoint.sh '-a rootfs' '-j ./test/data/rootfs-scan' '-h rootfs.test' + compare_files rootfs.test ./test/data/rootfs-scan/report } @test "trivy fs" { - # trivy fs --output fs.test . - run ./entrypoint.sh '-a fs' '-j .' '-h fs.test' - run diff fs.test ./test/data/fs.test - echo "$output" - assert_files_equal fs.test ./test/data/fs.test + # trivy fs --output fs.test ./test/data/fs-scan + # TODO: add data + run ./entrypoint.sh '-a fs' '-j ./test/data/fs-scan' '-h fs.test' + compare_files fs.test ./test/data/fs-scan/report } -@test "trivy fs with securityChecks option" { - # trivy fs --format json --scanners=vuln,config --output fs-scheck.test . - run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test' - run diff fs-scheck.test ./test/data/fs-scheck.test - echo "$output" - assert_files_equal fs-scheck.test ./test/data/fs-scheck.test -} - - @test "trivy image with trivyIgnores option" { - # cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3 - run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2' - run diff image-trivyignores.test ./test/data/image-trivyignores.test - echo "$output" - assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test + # cat ./test/data/with-ignore-files/.trivyignore1 ./test/data/with-ignore-files/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3 + run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2' + compare_files image-trivyignores.test ./test/data/with-ignore-files/report } @test "trivy image with sbom output" { # trivy image --format github knqyf263/vuln-image:1.2.3 - run ./entrypoint.sh "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3" - assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock + run ./entrypoint.sh "-a image" "-b github" "-h github-dep-snapshot.gsbom" "-i knqyf263/vuln-image:1.2.3" + compare_files github-dep-snapshot.gsbom ./test/data/github-dep-snapshot/report.gsbom } @test "trivy image with trivy.yaml config" { - # trivy --config=./test/data/trivy.yaml image alpine:3.10 - run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10" - run diff yamlconfig.test ./test/data/yamlconfig.test - echo "$output" - assert_files_equal yamlconfig.test ./test/data/yamlconfig.test + # trivy --config=./test/data/with-trivy-yaml-cfg/trivy.yaml image alpine:3.10 + run ./entrypoint.sh "-v ./test/data/with-trivy-yaml-cfg/trivy.yaml" "-a image" "-i alpine:3.10" + compare_files yamlconfig.json ./test/data/with-trivy-yaml-cfg/report.json } @test "trivy image with custom docker-host" { # trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3 run ./entrypoint.sh '-y unix:///var/run/docker.sock' '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL' - run diff image.test ./test/data/image.test - echo "$output" - assert_files_equal image.test ./test/data/image.test + compare_files image.test ./test/data/image-scan/report } @test "trivy config with terraform variables" { - # trivy config --format json --severity MEDIUM --output tfvars.test --tf-vars ./test/data/dev.tfvars ./test/data - run ./entrypoint.sh "-a config" "-j ./test/data" "-h tfvars.test" "-g MEDIUM" "-x dev.tfvars" "-b json" - run diff tfvars.test ./test/data/tfvars.test - echo "$output" - assert_files_equal tfvars.test ./test/data/tfvars.test + # trivy config -f json -o tfvars.json --severity MEDIUM --tf-vars ./test/data/with-tf-vars/dev.tfvars ./test/data/with-tf-vars/main.tf + run ./entrypoint.sh "-a config" "-j ./test/data/with-tf-vars/main.tf" "-h tfvars.json" "-g MEDIUM" "-x ./test/data/with-tf-vars/dev.tfvars" "-b json" + compare_files tfvars.json ./test/data/with-tf-vars/report.json } \ No newline at end of file From b2cd5ff52c525099076ae4f4178bc8e9b4da89ec Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Tue, 7 May 2024 18:03:36 -0600 Subject: [PATCH 19/21] Update bump-trivy.yaml --- .github/workflows/bump-trivy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/bump-trivy.yaml b/.github/workflows/bump-trivy.yaml index 32a8b20d..e035a45e 100644 --- a/.github/workflows/bump-trivy.yaml +++ b/.github/workflows/bump-trivy.yaml @@ -18,7 +18,6 @@ jobs: - name: Update Trivy versions run: | sed -r -i "s/ghcr.io\/aquasecurity\/trivy:[0-9]+\.[0-9]+\.[0-9]+/ghcr.io\/aquasecurity\/trivy:${{ inputs.trivy_version }}/" Dockerfile - sed -r -i "s/TRIVY_VERSION: [0-9]+\.[0-9]+\.[0-9]+/TRIVY_VERSION: ${{ inputs.trivy_version }}/" .github/workflows/build.yaml find test/data -type f -name '*.test' | xargs sed -r -i 's/"version": "[0-9]+\.[0-9]+\.[0-9]+"/"version": "${{ inputs.trivy_version }}"/' - name: Create PR From b2933f565dbc598b29947660e66259e3c7bc8561 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Tue, 7 May 2024 21:42:16 -0600 Subject: [PATCH 20/21] bump trivy version to v0.51.1 (#353) * bump trivy version to v0.51.1 * update tests --- .github/workflows/test.yaml | 2 +- Dockerfile | 2 +- test/data/image-scan/report | 6 +++--- test/data/with-ignore-files/report | 6 +++--- test/data/with-trivy-yaml-cfg/report.json | 3 ++- 5 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 7a2b0a49..9f9cfc75 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -6,7 +6,7 @@ on: workflow_dispatch: env: - TRIVY_VERSION: 0.50.2 + TRIVY_VERSION: 0.51.1 BATS_LIB_PATH: '/usr/lib/' jobs: diff --git a/Dockerfile b/Dockerfile index 5d89ff66..197973d2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.50.2 +FROM ghcr.io/aquasecurity/trivy:0.51.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/image-scan/report b/test/data/image-scan/report index 6e930cd7..8db96024 100644 --- a/test/data/image-scan/report +++ b/test/data/image-scan/report @@ -27,7 +27,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ @@ -58,7 +58,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ @@ -69,7 +69,7 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │ +│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ diff --git a/test/data/with-ignore-files/report b/test/data/with-ignore-files/report index 8b262553..b6177241 100644 --- a/test/data/with-ignore-files/report +++ b/test/data/with-ignore-files/report @@ -27,7 +27,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ @@ -58,7 +58,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ @@ -69,7 +69,7 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │ +│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ diff --git a/test/data/with-trivy-yaml-cfg/report.json b/test/data/with-trivy-yaml-cfg/report.json index b5e94ad5..ec66d25e 100644 --- a/test/data/with-trivy-yaml-cfg/report.json +++ b/test/data/with-trivy-yaml-cfg/report.json @@ -64,7 +64,8 @@ "PkgID": "apk-tools@2.10.6-r0", "PkgName": "apk-tools", "PkgIdentifier": { - "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9" + "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9", + "UID": "a6adb154870b6380" }, "InstalledVersion": "2.10.6-r0", "FixedVersion": "2.10.7-r0", From fd25fed6972e341ff0007ddb61f77e88103953c2 Mon Sep 17 00:00:00 2001 From: Vinayak S <84206636+Dr-DevOps@users.noreply.github.com> Date: Wed, 22 May 2024 04:03:02 +0530 Subject: [PATCH 21/21] bump trivy version to v0.51.2 (#360) * bump trivy version to v0.51.2 * bump trivy version to v0.51.2 --- .github/workflows/test.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 9f9cfc75..d9003c71 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -6,7 +6,7 @@ on: workflow_dispatch: env: - TRIVY_VERSION: 0.51.1 + TRIVY_VERSION: 0.51.2 BATS_LIB_PATH: '/usr/lib/' jobs: diff --git a/Dockerfile b/Dockerfile index 197973d2..6433ece9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.51.1 +FROM ghcr.io/aquasecurity/trivy:0.51.2 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh