Container scanning result parsing can fail if url schema is not http
Summary
If the aquasec database entry identifier url is not http or https, then container scanning will fail.
The same is for the links url.
Steps to reproduce
- Scan
php:7.4-apache-bullseye
using container scanning gitlab job template. - See error in pipeline security tab.
- Download
gl-container-scanning-report.json
. - Run
jq < gl-container-scanning-report.json '.vulnerabilities[] | select (.identifiers[].value == "CVE-2004-0230")'
Example Project
https://gitlab.com/akontainers/gitlab.com-issue-404641
https://gitlab.com/akontainers/gitlab.com-issue-404641/-/pipelines/827918487
What is the current bug behavior?
For example https://avd.aquasec.com/nvd/2004/cve-2004-0230/.
JSON from container scanning job
{
"id": "7e0c72bed9249e6d229d15194a4f414b83a12647",
"severity": "Low",
"location": {
"dependency": {
"package": {
"name": "linux-libc-dev"
},
"version": "5.10.149-2"
},
"operating_system": "debian 11.5",
"image": "php:7.4-apache-bullseye"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2004-0230",
"value": "CVE-2004-0230",
"url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc"
}
],
"links": [
{
"url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc"
},
{
"url": "ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.3/SCOSA-2005.3.txt"
},
{
"url": "ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.9/SCOSA-2005.9.txt"
},
{
"url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.14/SCOSA-2005.14.txt"
},
{
"url": "ftp://patches.sgi.com/support/free/security/advisories/20040403-01-A.asc"
},
{
"url": "http://kb.juniper.net/JSA10638"
},
{
"url": "http://marc.info/?l=bugtraq&m=108302060014745&w=2"
},
{
"url": "http://marc.info/?l=bugtraq&m=108506952116653&w=2"
},
{
"url": "http://secunia.com/advisories/11440"
},
{
"url": "http://secunia.com/advisories/11458"
},
{
"url": "http://secunia.com/advisories/22341"
},
{
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml"
},
{
"url": "http://www.kb.cert.org/vuls/id/415294"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"url": "http://www.osvdb.org/4030"
},
{
"url": "http://www.securityfocus.com/archive/1/449179/100/0/threaded"
},
{
"url": "http://www.securityfocus.com/bid/10183"
},
{
"url": "http://www.uniras.gov.uk/vuls/2004/236929/index.htm"
},
{
"url": "http://www.us-cert.gov/cas/techalerts/TA04-111A.html"
},
{
"url": "http://www.vupen.com/english/advisories/2006/3983"
},
{
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-019"
},
{
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-064"
},
{
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15886"
},
{
"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10053"
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2689"
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A270"
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3508"
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4791"
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5711"
}
],
"description": "TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.",
"solution": "No solution provided"
}
The identifier url is ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc
.
The links are
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.3/SCOSA-2005.3.txt
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.9/SCOSA-2005.9.txt
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.14/SCOSA-2005.14.txt
ftp://patches.sgi.com/support/free/security/advisories/20040403-01-A.asc
What is the expected correct behavior?
No errors
Relevant logs and/or screenshots
gl-container-scanning-report.json
Implementation Plan
-
Update Security Report Schemas to allow the ftp
scheme inURLs
. -
Update Container Scanning to ignore any URLs
that don't useftp
,http
orhttps
as the scheme. -
Update rails monolith to use the latest version of the security report schemas -
Update Container Scanning to use security report schema v15.0.6
added by Update report format to allow url links with th... (gitlab-org/security-products/security-report-schemas!145 - merged) in step1.
Edited by Adam Cohen