tab character causing CS build to fail
Summary
Scanning the centos:8
image fails with an unexpected token error
due to a /t
tab character in the Trivy JSON report. This would likely cause container scanning builds to fail since centos:8 is part of the integration tests.
Findings
This tab character is found between the commit sha
and (v3.10.0a2)
of the link.
[ERROR] [2023-12-08 09:08:22 +0000] [container-scanning] > unexpected token at '{
1454 "url": "https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f (v3.10.0a2)"
This is more evident by looking at the CVE-2022-48564.json
source in the vuln-list repo where this link originates from.
"Candidate": "CVE-2022-48564",
"PublicDate": "2023-08-22T19:16:00Z",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48564",
"https://github.com/python/cpython/issues/86269",
"https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f\t(v3.10.0a2)",
"https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e86610a (3.9)",
"https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebfeb5ec4 (v3.7.10)",
"https://bugs.python.org/issue42103",
"https://ubuntu.com/security/notices/USN-6513-1"
]
The CVE was retrieved by the vuln-list-update repo from the ubuntu-cve-tracker repo where it was added via this commit.
Resolution
As ubuntu-cve-tracker is a git repo, I attempted to submit a merge request to fix the issue, but I did not have permissions to push a branch. I could not find any contact details in the ubuntu-cve-tracker repo to explore a way to fix this issue at it's source.
A temporary fix might be to remove the /t
manually when we download the Trivy DB in the container scanning project.
Implementation plan
Code: Update sbom_converter to strip \t
: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/master/lib/gcs/converter.rb?ref_type=heads#L18
Testing: Add regression test which inserts control characters into the scanner output.
Note: This is the short term fix. A longer term fix is to ensure the scanner does not output control characters.