Invalid URI in SARIF report

[pbaumard]

Description

SARIF report produced by Trivy may contain some invalid URI (e.g. when a file having issue has a a space in its filename).

A PR has been created: #7645

Desired Behavior

SARIF report should comply with SARIF 2.1.0 specification.

Actual Behavior

Excerpt of the SARIF json created by Trivy:

"results": [
        {
          "ruleId": "gitlab-pat",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "text": "Artifact: .run/abcdefg-dev-api (dev-ab).run.xml\nType: \nSecret GitLab Personal Access Token\nSeverity: CRITICAL\nMatch:                 \u003centry key=\"GITLAB_ACCESS_TOKEN\" value=\"**************************\" /\u003e"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": ".run/abcdefg-dev-api (dev-ab).run.xml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 12,
                  "startColumn": 1,
                  "endLine": 12,
                  "endColumn": 1
                }
              },
              "message": {
                "text": ".run/abcdefg-dev-api (dev-ab).run.xml"
              }
            }
          ]
        },

Invalid reports cannot be imported using SonarQube SARIF import:

[INFO] 16:03:22.151 Sensor Import external issues report from SARIF file.
[WARNING] 16:03:22.163 Failed to import an issue raised by tool Trivy, error: Illegal character in path at index 20: .run/abcdefg-dev-api (dev-ab).run.xml

The report is also failing SARIF Validator:

SARIF1002: runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri: The string '.run/abcdefg-dev-api (dev-ab).run.xml' is not a valid URI reference. URIs must conform to RFC 3986.

Reproduction Steps

1. create a file having a Trivy issue with a space in its name
2. generate a [SARIF report](https://aquasecurity.github.io/trivy/v0.55/docs/configuration/reporting/#sarif

Target

None

Scanner

None

Output Format

SARIF

Mode

Standalone

Debug Output

trivy convert --format sarif --debug --output target/reports/jenkins/trivy-report-security-analysis-sarif.json target/reports/jenkins/trivy-report-security-analysis.json
2024-10-03T12:16:24Z	DEBUG	Cache dir	dir="/.cache/trivy"
2024-10-03T12:16:24Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-03T12:16:24Z	DEBUG	Writing report to output...

Operating System

registry.access.redhat.com/ubi8/openjdk-17

Version

Version: 0.53.0

Checklist

• Run trivy clean --all
• Read the troubleshooting