Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(template): incorrect productArn field for secrets in asff template #6010

Closed
2 tasks
DmitriyLewen opened this issue Jan 26, 2024 Discussed in #6002 · 1 comment · Fixed by #6011
Closed
2 tasks

bug(template): incorrect productArn field for secrets in asff template #6010

DmitriyLewen opened this issue Jan 26, 2024 Discussed in #6002 · 1 comment · Fixed by #6011
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/secret Issues relating to secret scanning

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #6002

Originally posted by lumattr January 25, 2024

Description

For the type "Sensitive Data Identifications" the Id field uses a path which i believe is incompatible with the BatchImportFindings function.

Desired Behavior

{
    "FailedCount": 0,
    "SuccessCount": 2,
    "FailedFindings": []
}

Actual Behavior

An error occurred (InvalidInputException) when calling the BatchImportFindings operation: productArn: "arn:aws:securityhub:::product/aquasecurity/aquasecurity"

Reproduction Steps

  1. Create results.asff using the following content
results.asff 
[
  {
    "SchemaVersion": "2018-10-08",
    "Id": "Ruby/CVE-2020-25613",
    "ProductArn": "arn:aws:securityhub:us-east-1::product/aquasecurity/aquasecurity",
    "GeneratorId": "Trivy/CVE-2020-25613",
    "AwsAccountId": "xxxxxxxxxxxx",
    "Types": [
      "Software and Configuration Checks/Vulnerabilities/CVE"
    ],
    "CreatedAt": "2024-01-25T16:12:37.059064639Z",
    "UpdatedAt": "2024-01-25T16:12:37.059068601Z",
    "Severity": {
      "Label": "HIGH"
    },
    "Title": "Trivy found a vulnerability to CVE-2020-25613 in container Ruby, related to webrick",
    "Description": "An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.",
    "Remediation": {
      "Recommendation": {
        "Text": "More information on this vulnerability is provided in the hyperlink",
        "Url": "https://avd.aquasec.com/nvd/cve-2020-25613"
      }
    },
    "ProductFields": {
      "Product Name": "Trivy"
    },
    "Resources": [
      {
        "Type": "Container",
        "Id": "Ruby",
        "Partition": "aws",
        "Region": "us-east-1",
        "Details": {
          "Container": {
            "ImageName": "Ruby"
          },
          "Other": {
            "CVE ID": "CVE-2020-25613",
            "CVE Title": "ruby: Potential HTTP request smuggling in WEBrick",
            "PkgName": "webrick",
            "Installed Package": "1.4.2.1",
            "Patched Package": ">= 1.6.1",
            "NvdCvssScoreV3": "7.5",
            "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "NvdCvssScoreV2": "5",
            "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
          }
        }
      }
    ],
    "RecordState": "ACTIVE"
  },
  {
    "SchemaVersion": "2018-10-08",
    "Id": "/usr/local/bundle/gems/mongo-2.14.1/spec/support/certificates/client.pem",
    "ProductArn": "arn:aws:securityhub:::product/aquasecurity/aquasecurity",
    "GeneratorId": "Trivy",
    "AwsAccountId": "xxxxxxxxxxxx",
    "Types": [
      "Sensitive Data Identifications"
    ],
    "CreatedAt": "2024-01-25T16:12:37.059177994Z",
    "UpdatedAt": "2024-01-25T16:12:37.059183005Z",
    "Severity": {
      "Label": "HIGH"
    },
    "Title": "Trivy found a secret in /usr/local/bundle/gems/mongo-2.14.1/spec/support/certificates/client.pem: Asymmetric Private Key",
    "Description": "Trivy found a secret in /usr/local/bundle/gems/mongo-2.14.1/spec/support/certificates/client.pem: Asymmetric Private Key",
    "ProductFields": {
      "Product Name": "Trivy"
    },
    "Resources": [
      {
        "Type": "Other",
        "Id": "/usr/local/bundle/gems/mongo-2.14.1/spec/support/certificates/client.pem",
        "Partition": "aws",
        "Region": "",
        "Details": {
          "Other": {
            "Filename": "/usr/local/bundle/gems/mongo-2.14.1/spec/support/certificates/client.pem"
          }
        }
      }
    ],
    "RecordState": "ACTIVE"
  }
]
  1. Fill in the account id with the account you intend to upload the findings to
  2. Use the following command to push the results file
    aws securityhub batch-import-findings --findings file://results-14-7-y.asff
  3. You can remove one and then the other array item do get differing results from the upload

Target

Container Image

Scanner

None

Output Format

Template

Mode

Standalone

Debug Output

N/A

Operating System

docker

Version

0.48.3

Checklist
@DmitriyLewen DmitriyLewen added kind/bug Categorizes issue or PR as related to a bug. scan/secret Issues relating to secret scanning labels Jan 26, 2024
@DmitriyLewen DmitriyLewen self-assigned this Jan 26, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Jan 26, 2024
Merged
6 tasks
@DmitriyLewen
Copy link
Contributor Author

Hello @lumattr

I created #6011 to fix this problem.
As long as these changes are not merged - you can update asff.tpl file yourself (see lines 131 and 148 from PR).

Regards, Dmitriy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/secret Issues relating to secret scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(report): use AWS_REGION env for secrets in asff template DmitriyLewen/trivy
1 participant
@DmitriyLewen