From 0d42dafe79df6a983176b64a9683f121157f7847 Mon Sep 17 00:00:00 2001 From: Calin Marina Date: Tue, 10 Oct 2023 22:18:24 +0100 Subject: [PATCH 1/4] add debug mode parameter --- action.yaml | 5 +++++ entrypoint.sh | 8 +++++++- test/test.bats | 6 ++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index 3e37c9b..0ecb85b 100644 --- a/action.yaml +++ b/action.yaml @@ -91,6 +91,10 @@ inputs: limit-severities-for-sarif: description: 'limit severities for SARIF format' required: false + debug-mode: + description: 'debug mode' + required: false + default: 'false' runs: using: 'docker' @@ -119,3 +123,4 @@ runs: - '-u ${{ inputs.github-pat }}' - '-v ${{ inputs.trivy-config }}' - '-z ${{ inputs.limit-severities-for-sarif }}' + - '-x ${{ inputs.debug }}' diff --git a/entrypoint.sh b/entrypoint.sh index 26a9dae..4a5405a 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:x:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -71,6 +71,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do z) export limitSeveritiesForSARIF=${OPTARG} ;; + x) + export debugMode=${OPTARG} + ;; esac done @@ -157,6 +160,9 @@ fi if [ "$hideProgress" == "true" ];then ARGS="$ARGS --no-progress" fi +if [ "$debugMode" == "true" ];then + ARGS="$ARGS --debug" +fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') if [ "$listAllPkgs" == "true" ];then diff --git a/test/test.bats b/test/test.bats index 13a69ce..98fd603 100644 --- a/test/test.bats +++ b/test/test.bats @@ -81,3 +81,9 @@ bats_load_library bats-file echo "$output" assert_files_equal yamlconfig.test ./test/data/yamlconfig.test } + +@test "trivy image with debug mode on" { + # trivy image --debug github knqyf263/vuln-image:1.2.3 + run ./entrypoint.sh "-x true" "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3" + assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' +} From 9118283e40420f3ee192460c1d43c20adf2ecf76 Mon Sep 17 00:00:00 2001 From: Calin Marina Date: Tue, 10 Oct 2023 22:19:23 +0100 Subject: [PATCH 2/4] chore: update test results --- test/data/image-trivyignores.test | 20 +++++++++++++++---- test/data/image.test | 32 +++++++++++++++++++++++++++---- 2 files changed, 44 insertions(+), 8 deletions(-) diff --git a/test/data/image-trivyignores.test b/test/data/image-trivyignores.test index f2a567c..aa3d4ae 100644 --- a/test/data/image-trivyignores.test +++ b/test/data/image-trivyignores.test @@ -27,10 +27,10 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ +│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │ @@ -58,7 +58,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ @@ -69,6 +69,18 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ +│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ + +rust-app/Cargo.lock (cargo) +=========================== +Total: 1 (CRITICAL: 1) + +┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ smallvec │ CVE-2021-25900 │ CRITICAL │ fixed │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │ +│ │ │ │ │ │ │ and 1.x... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │ +└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ diff --git a/test/data/image.test b/test/data/image.test index f2a567c..d954ed1 100644 --- a/test/data/image.test +++ b/test/data/image.test @@ -27,10 +27,10 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ +│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │ @@ -58,7 +58,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ @@ -69,6 +69,30 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ +│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ + +rust-app/Cargo.lock (cargo) +=========================== +Total: 4 (CRITICAL: 4) + +┌───────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├───────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ rand_core │ CVE-2020-25576 │ CRITICAL │ fixed │ 0.4.0 │ 0.4.2, 0.3.1 │ An issue was discovered in the rand_core crate before 0.4.2 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │ +├───────────┼────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ smallvec │ CVE-2019-15551 │ │ │ 0.6.9 │ 0.6.10 │ An issue was discovered in the smallvec crate before 0.6.10 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15551 │ +│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ +│ │ CVE-2019-15554 │ │ │ │ │ An issue was discovered in the smallvec crate before 0.6.10 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │ +│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ +│ │ CVE-2021-25900 │ │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │ +│ │ │ │ │ │ │ and 1.x... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │ +└───────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ From ed7bcc59f7b9cd1997bd32d72d348b1d4c1d5187 Mon Sep 17 00:00:00 2001 From: Calin Marina Date: Tue, 10 Oct 2023 23:41:49 +0100 Subject: [PATCH 3/4] trim boolean value --- entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.sh b/entrypoint.sh index 4a5405a..67d05fd 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -91,6 +91,7 @@ fi ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r') hideProgress=$(echo $hideProgress | tr -d '\r') limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r') +debugMode=$(echo $debugMode | tr -d '\r') GLOBAL_ARGS="" if [ $cacheDir ];then From 290218db8ca55ebe29af3e907a86bfd30d7a69b7 Mon Sep 17 00:00:00 2001 From: Calin Marina Date: Wed, 11 Oct 2023 00:01:27 +0100 Subject: [PATCH 4/4] fix: place debug mode variable in global category --- entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 67d05fd..cb3ff10 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -97,6 +97,9 @@ GLOBAL_ARGS="" if [ $cacheDir ];then GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir" fi +if [ "$debugMode" == "true" ];then + GLOBAL_ARGS="$GLOBAL_ARGS --debug" +fi SARIF_ARGS="" ARGS="" @@ -161,9 +164,6 @@ fi if [ "$hideProgress" == "true" ];then ARGS="$ARGS --no-progress" fi -if [ "$debugMode" == "true" ];then - ARGS="$ARGS --debug" -fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') if [ "$listAllPkgs" == "true" ];then