Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy Parser Creates Malformed Location URL #2324

Open
danil-smirnov opened this issue Feb 29, 2024 · 4 comments
Open

Trivy Parser Creates Malformed Location URL #2324

danil-smirnov opened this issue Feb 29, 2024 · 4 comments
Assignees
@BorisShek
Labels
bug Bugs

Comments

@danil-smirnov
Copy link

🐞 Bug report

Describe the bug

We do the following scan by Trivy:

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "trivy-k8s-1"
  annotations:
    defectdojo.securecodebox.io/product-type-name: Infra
    defectdojo.securecodebox.io/product-name: infra-cluster
    defectdojo.securecodebox.io/engagement-name: "Trivy k8s scan"
    defectdojo.securecodebox.io/test-title: "Trivy k8s weekly scan"
spec:
  scanType: "trivy-k8s"
  parameters:
    - "-d"
    - "--timeout"
    - "30m"
    - "--tolerations"
    - "gitlab_runners=true:NoSchedule"
    - "--components"
    - "workload"
    - "--scanners"
    - "vuln"
    - "-n"
    - "gitlab"
    - "pods"
  volumes:
    - name: dockersocket
      hostPath:
        path: /run/containerd/containerd.sock
    - name: db-cache
      persistentVolumeClaim:
        claimName: trivy-k8s-database
  volumeMounts:
    - name: dockersocket
      mountPath: /run/containerd/containerd.sock
    - name: db-cache
      mountPath: /root/.cache/trivy

Scan and parse stages go just fine. But in the Persistence-defectdojo hook we see a lot of warnings like this:

2024-02-29 17:17:26 WARN  SecureCodeBoxFindingsToDefectDojoMapper:89 - Couldn't parse the secureCodeBox location, because it: java.lang.IllegalArgumentException: Illegal character in opaque part at index 10: Namespace: 'gitlab' / Kind: 'Pod' / Name: 'runner--ykq-n2m-project-8-concurrent-0-na4oov1f' is not a vailid uri: Namespace: 'gitlab' / Kind: 'Pod' / Name: 'runner--ykq-n2m-project-8-concurrent-0-na4oov1f'
2024-02-29 17:17:26 WARN  SecureCodeBoxFindingsToDefectDojoMapper:89 - Couldn't parse the secureCodeBox location, because it: java.lang.IllegalArgumentException: Illegal character in opaque part at index 10: Namespace: 'gitlab' / Kind: 'Pod' / Name: 'runner--ykq-n2m-project-8-concurrent-0-na4oov1f' is not a vailid uri: Namespace: 'gitlab' / Kind: 'Pod' / Name: 'runner--ykq-n2m-project-8-concurrent-0-na4oov1f'

Steps To Reproduce

Expected behavior

System (please complete the following information):

  • operator-4.4.0
  • trivy-4.4.1
  • persistence-defectdojo-4.4.1

Screenshots / Logs

Additional context
@danil-smirnov danil-smirnov added the bug Bugs label Feb 29, 2024
@Weltraumschaf
Copy link
Member

Hi @danil-smirnov,

thanks for submitting this issue. We'll investigate this.

@J12934
Copy link
Member

J12934 commented Mar 8, 2024

Hi @danil-smirnov

Good point, the trivy-k8s sets the location to a invalid uri. Thank you for reporting it.

We need to chagne this to a format which is URI compliant, but it'll be hard to fit all of the information in there.

https://github.com/secureCodeBox/secureCodeBox/blob/main/scanners/trivy/parser/parser.js#L175

@J12934 J12934 mentioned this issue Mar 15, 2024
Closed
@Weltraumschaf Weltraumschaf mentioned this issue Mar 20, 2024
Closed
@Weltraumschaf Weltraumschaf changed the title "Couldn't parse the secureCodeBox location" error in Persistence-defectdojo Trivy Parser Creates Malformed Location URL Mar 26, 2024
@Weltraumschaf
Copy link
Member

Weltraumschaf commented Mar 26, 2024
edited
Loading

We need to define a valid URL format for the docker image. As discussed today we need to do some research what a good spec is. Some ideas:

  • Simply the HTTP URL from where the image was puled: https://registry.example.com/foo/imagename/latest
  • K8s may have something similar like: docker-pulable://....
  • Define a custom protocol: x-scb-trivy://....

First check if URI not starting with http is allowed in DefectDojo.

@Weltraumschaf
Copy link
Member

Relates to #2364

@BorisShek BorisShek self-assigned this Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BorisShek BorisShek

Labels
bug Bugs
Projects
secureCodeBox v4
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Weltraumschaf @J12934 @danil-smirnov @BorisShek