Strings are not correctly escaped in the provided asff template

[IzaakBH]

Description

Asff.tpl incorrectly escapes strings in descriptions using escapeString. For strings such as 1

1. "The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\\s sourceMappingURL=(.*)."

It also incorrectly escapes the CVE Title field in some cases.

Desired Behavior

The string to be correctly escaped.

Actual Behavior

The escaped string was incorrect and caused an error when pushing to security hub.

This is the output:
"The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /s sourceMappingURL=(.*).".

And the error from AWS CLI
"Error parsing parameter '--findings': Invalid JSON: Invalid \escape: line 1 column 19068 (char 19067)".

Escaping on the CVE Title caused "CVE ID": "CVE-2022-24999", "CVE Title": "express: "qs" prototype poisoning causes the hang of the node process",

Reproduction Steps

1. Scan a container with CVE-2021-23382 (e.g nodejs-postcss:7.0.21) and CVE-2022-24999 (e.g. qs:6.3.0)
2. Attempt to push the results to was security hub

Target

Container Image

Scanner

Vulnerability

Output Format

Template

Mode

Standalone

Debug Output

AWS_REGION=eu-west-1 AWS_ACCOUNT_ID=$AWS_ACCOUNT_NUMBER REPO_NAME=$repo_name GITLAB_TOKEN=$GITLAB_PIPELINE_ACCESS_TOKEN trivy repo --format template --template "@asff.tpl" -o unformattedReport.asff $http_clone_url

Operating System

Alpine

Version

0.51

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @IzaakBH
Thanks for your report!

Do you use latest asff.tpl template?

I see escaped characters in your case:

➜ shasum ./contrib/asff.tpl 
52029883e1ece437346275bb31ba18ede8093367  ./contrib/asff.tpl

➜  trivy fs -f template -t @contrib/asff.tpl /Users/work/work/temp/6667/package-lock.json | grep "The package postcss before"
            "Description": "The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \\/\\*\\s* sourceMappingURL=(.*).",

Regards, Dmitriy

[IzaakBH]

Hey,

We have been using the latest template with the description line like this "Description": {{ escapeString $description | printf "%q" }}.

The exact command used is trivy repo --format template --template "@asff.tpl" -o unformattedReport.asff $http_clone_url

Perhaps there is some difference in the commands?

Thanks

[DmitriyLewen]

Perhaps there is some difference in the commands?

mode doesn't matter for templates.

We have been using the latest template with the description line like this "Description": {{ escapeString $description | printf "%q" }}.

This is weird case.
Can you run wget https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/asff.tpl && trivy repo --format template --template "@asff.tpl" $http_clone_url | jq '.Findings[] | select(.GeneratorId=="Trivy/CVE-2021-23382")' command and send me result?

[IzaakBH]

That command gave jq: parse error: Invalid numeric literal at line 1, column 12
But after manually inspecting the output, it saw that it was correctly escaped for the vulnerability Mentioned. I ran it through all the same manipulation our script is running and the output was still correctly escaped.

"The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*)."

My guess is either...
a) We didn't actually have the latest asff
b) There is some difference on mac vs linux (i am on mac but the server that saw the error is linux)
c) The server has an older version of trivy.

I will figure which of these it is and update.

Thanks for the help so far