diff --git a/action.yaml b/action.yaml index 3e37c9b..0ecb85b 100644 --- a/action.yaml +++ b/action.yaml @@ -91,6 +91,10 @@ inputs: limit-severities-for-sarif: description: 'limit severities for SARIF format' required: false + debug-mode: + description: 'debug mode' + required: false + default: 'false' runs: using: 'docker' @@ -119,3 +123,4 @@ runs: - '-u ${{ inputs.github-pat }}' - '-v ${{ inputs.trivy-config }}' - '-z ${{ inputs.limit-severities-for-sarif }}' + - '-x ${{ inputs.debug }}' diff --git a/entrypoint.sh b/entrypoint.sh index 26a9dae..cb3ff10 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:x:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -71,6 +71,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do z) export limitSeveritiesForSARIF=${OPTARG} ;; + x) + export debugMode=${OPTARG} + ;; esac done @@ -88,11 +91,15 @@ fi ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r') hideProgress=$(echo $hideProgress | tr -d '\r') limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r') +debugMode=$(echo $debugMode | tr -d '\r') GLOBAL_ARGS="" if [ $cacheDir ];then GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir" fi +if [ "$debugMode" == "true" ];then + GLOBAL_ARGS="$GLOBAL_ARGS --debug" +fi SARIF_ARGS="" ARGS="" diff --git a/test/data/image-trivyignores.test b/test/data/image-trivyignores.test index f2a567c..aa3d4ae 100644 --- a/test/data/image-trivyignores.test +++ b/test/data/image-trivyignores.test @@ -27,10 +27,10 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ +│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │ @@ -58,7 +58,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ @@ -69,6 +69,18 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ +│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ + +rust-app/Cargo.lock (cargo) +=========================== +Total: 1 (CRITICAL: 1) + +┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ smallvec │ CVE-2021-25900 │ CRITICAL │ fixed │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │ +│ │ │ │ │ │ │ and 1.x... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │ +└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ diff --git a/test/data/image.test b/test/data/image.test index f2a567c..d954ed1 100644 --- a/test/data/image.test +++ b/test/data/image.test @@ -27,10 +27,10 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ +│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │ @@ -58,7 +58,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ @@ -69,6 +69,30 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ +│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ + +rust-app/Cargo.lock (cargo) +=========================== +Total: 4 (CRITICAL: 4) + +┌───────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├───────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ rand_core │ CVE-2020-25576 │ CRITICAL │ fixed │ 0.4.0 │ 0.4.2, 0.3.1 │ An issue was discovered in the rand_core crate before 0.4.2 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │ +├───────────┼────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ smallvec │ CVE-2019-15551 │ │ │ 0.6.9 │ 0.6.10 │ An issue was discovered in the smallvec crate before 0.6.10 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15551 │ +│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ +│ │ CVE-2019-15554 │ │ │ │ │ An issue was discovered in the smallvec crate before 0.6.10 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │ +│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ +│ │ CVE-2021-25900 │ │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │ +│ │ │ │ │ │ │ and 1.x... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │ +└───────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ diff --git a/test/test.bats b/test/test.bats index 13a69ce..98fd603 100644 --- a/test/test.bats +++ b/test/test.bats @@ -81,3 +81,9 @@ bats_load_library bats-file echo "$output" assert_files_equal yamlconfig.test ./test/data/yamlconfig.test } + +@test "trivy image with debug mode on" { + # trivy image --debug github knqyf263/vuln-image:1.2.3 + run ./entrypoint.sh "-x true" "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3" + assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' +}