-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for SARIF output #216
Comments
@Dentrax You can get SARIF output and scanning GH action using betterscan https://github.com/marcinguy/betterscan-ce It has OSV scanner as one the scanners |
Hey @marcinguy, since this is slightly out-of-context of what I'm proposing here; but I definitely check that project, seems interesting! Thanks for dropping that. |
@Dentrax No worries. Was trying to help. Yea, different outputs from OSV scanner would be great. +1 |
Thanks for the suggestion! This is indeed something we've been thinking about. This is something that may be blocked on #150. Can you also speak a bit about how you intend to consume the SARIF output? Is this meant to be fed to e.g. GitHub's code scanning alerts? Are there other use cases for this? |
Actually, yes. This is my only use-case. |
Hey guys, any update on SARIF support? |
I'm also interested in this feature. It makes integrations with CI/CD tools a way nicer! |
This is already being worked on by @another-rex in #420. |
This PR features: - Refactors the format flag's internal logic so that we can don't need to repeat the format types so much, and we can test when we add a new format entry if we forgot anything. - Adds a new format "sarif", which returns a SARIF report (closes #216 ) - Adds a Github Action `action.yaml` and it's specialized dockerfile `action.dockerfile`. This docker image runs a bash script wrapping osv-scanner, first by preprocessing the input so the last argument will be split by new line, allowing the workflow user to pass in multiple directories/files they wish to scan. The script also changes exit codes 127 and 128 to 0 as they contain errors that the user can't really do anything about. - Adds two reusable workflows using this new github action for this repo - Reusable PR workflow, for using to check if PRs introduce new vulnerabilities. - Reusable Scheduled workflow, for use to regularly check for new vulns applying to your existing vulns. - Adds an experimental flag: `--experimental-diff`, which will only output the difference between a previous run and this run of the osv-scanner. This is for use in the PR workflow. - Sorts the grouped ID output. Closes #57 Currently the reusable workflow has to point to a specific action which cannot be relative (otherwise it would point to the wrong action when reused in another repo). This means right now it's pointed to this fork/branch instead of the master branch, this will need to be updated once this PR is merged. Example of what workflow sarif output looks like: ![image](https://github.com/google/osv-scanner/assets/106129829/fc7a0ac4-f3d8-4524-93ba-7b03dd0313cd) Here is an example of the PR reusable workflow working: another-rex/scorecard-check-osv-e2e#1 That PR adds an additional vulnerability, which causes it to fail. You can see that only the new vuln is showing up in the code scanning report: https://github.com/another-rex/scorecard-check-osv-e2e/security/code-scanning/1 TODO after this PR is merged: - Change links that point to this PR branch to point to main (and/or a tagged commit of main) - Add support for annotations - Add documentation (this is for later, as we want to dogfood it in our own repos first before broadcasting this widely) --------- Signed-off-by: Rex P <rexpan@google.com>
I tested this and it outputs to sarif format great, but probably not quite what I expected. |
Thanks for the feedback @Ma1tobiose. Can you please give a sample output that you'd like to see? Also curious if there's feedback from any others in this issue. e.g. @pwa-tapptic , @jaskaransinghdr6j @Dentrax |
I tested it on my side and I'd have same remark as @Ma1tobiose . {
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": { ...
},
"results": [
{
"ruleId": "GHSA-72xf-g2v4-qvf3-tough-cookie",
"message": {
"text": "The path /yarn.lock reports tough-cookie at version 4.1.2 which would result in a vulnerable (npm) package installed"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/yarn.lock"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
},
{
"ruleId": "GHSA-776f-qx25-q3cc-xml2js",
"message": {
"text": "The path /yarn.lock reports xml2js at version 0.4.23 which would result in a vulnerable (npm) package installed"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/yarn.lock"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
},
... just to give you an example. |
Thanks! Our motivation behind a single aggregated report, is to better connect this to #352 via a single remediation command included in the result (e.g. "to fix these interactively, run Could we understand a bit better how having separate results helps your use cases? Does this provide better UX for you to look at vulnerability results individually as opposed to a single one? |
Thanks! @oliverchang |
@oliverchang one-click fix is an awesome feature and great motivation behind tool as OSV, it must be seen as something valuable from CLI user perspective. |
@another-rex let's investigate if there's a good middle ground here. |
+1 SARIF should ideally represent each "finding" as it's own line item. Being an interchange format, it would be right to use it as a 1 CVE per item template. |
Here is the current format I am thinking of merging, would love any feedback (fyi: @pwa-tapptic @jaskaransinghdr6j @Ma1tobiose) {
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"informationUri": "https://github.com/google/osv-scanner",
"name": "osv-scanner",
"rules": [
{
"id": "RUSTSEC-2022-0041",
"shortDescription": {
"text": "OSV.Summary"
},
"fullDescription": {
"text": "OSV.Details",
"markdown": "OSV.Details"
},
"help": {
"text": "...",
"markdown": "Markdown table of occurrences in the repo (i.e. If this vuln affects multiple packages/lockfiles)"
}
}
]
}
},
"artifacts": [
{
"location": {
"uri": "path/to/Cargo.lock"
},
"length": -1
}
],
"results": [
{
"ruleId": "RUSTSEC-2023-0045",
"ruleIndex": 0,
"level": "warning",
"message": {
"text": "Package 'memoffset@0.6.1' is vulnerable to 'RUSTSEC-2023-0045', please upgrade to versions '0.6.2' to fix this vulnerability"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "path/to/Cargo.lock"
}
}
}
]
}
// ... One result per vulnerable package per vulnerability
]
}
]
}
This is complicated by the fact that not every OSV entry has a corresponding CVE (e.g. RUSTSEC-2023-0045), and we can have multiple advisories from different sources referring to the exact same vulnerability. This is common for vulnerabilities published by github advisories, where for some languages there will be security advisories published by the language maintainers as well. One solution to this we are thinking is to fill "ruleId" with all the aliased vulnerabilities joined together (e.g. id: Tell us if this will work for your workflows! |
This is great! However, I feel as many findings aggregators will be using these findings to autofill fields like "Finding Title", the joined ruleId might be a bit too onerous. There seems to be no straightforward way to deal with this according to the SARIF spec. What if we default the ruleId to "CVE-XXXX" if available, and fallback to package specific id "RUSTSEC-YYYY" if the former is not available? (or vice-versa) The other approach could be to list all the aliases in the message text field as : "Also Reported as |
The formatting is great, and I agree with @jaskaransinghdr6j's solution (if it's feasible), being able to easily query the cve and refer sources would make it much quicker to find vulnerability details and fixes. |
Fixes #216 with a new format that separates out individual vulnerabilities. Each vulnerability is now it's own rule violation. The aliased vulnerabilities are grouped together as one rule violation, with an ID picked in this priority (CVE -> [Eco Specific] -> GHSA).
I implemented this in the SARIF PR and it's now been merged, so please try it out in latest main branch of osv-scanner (this change is not in 1.4.0) and see if this fits your use cases! |
It'd be great to have a SARIF output format to upload the results to GitHub. (i.e. with
github/codeql-action/upload-sarif
action)Blocked by #217
The text was updated successfully, but these errors were encountered: