Incorrect SARIF File Generation by Trivy - GCP scanner

[obounaim]

Description

I believe that Trivy is generating an incorrect SARIF file. This issue affects the ability to properly integrate the results into Github advanced security. This issue occurs when we scan GCP's Terraform resources.

Environment:

• Trivy version: v0.57.1
• Trivy Action version: 0.29

Github error:

Waiting for processing to finish
  Analysis upload status is pending.
  ##[debug]Analysis processing is still pending...
  Analysis upload status is failed.
  ::endgroup::
Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location

Original Github Issue: 408
have noticed that some uri fields are missing from the SARIF file, could this be the cause of the upload problem? Example bellow :

       {
          "ruleId": "AVD-GCP-0061",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: \nType: terraform\nVulnerability AVD-GCP-0061\nSeverity: HIGH\nMessage: Cluster does not have master authorized networks enabled.\nLink: [AVD-GCP-0061](https://avd.aquasec.com/misconfig/avd-gcp-0061)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": ""
              }
            }
          ]
        },

Regards,

Desired Behavior

The generate SARIF should not get rejected by Github. It works for AWS Terraform resources, but when we scan GCP Terraform resources Github rejects the SARIF file.

Actual Behavior

The generate SARIF should not get rejected by Github. It works for AWS Terraform resources, but when we scan GCP Terraform resources Github rejects the SARIF file.

Reproduction Steps

1. Scan GCP terraform resources, and generate the results in a SARIF file
2. Upload the SARIF file to Github Advance Security

Target

None

Scanner

Misconfiguration

Output Format

SARIF

Mode

Standalone

Debug Output

The scanning works fine.

Operating System

Ubuntu 22.04.5

Version

v0.57.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @obounaim !

I'll take a look

[nikpivkin]

Does this happen with every scan? Is it reproducible with trivy v0.58.0?

[obounaim]

@nikpivkin
Yes, it happens every time. I could not test it (without touching the Github actions config files), it seems that trivy-action is still using 0.57.1.

[nikpivkin]

@obounaim I found the cause. Issue to track #8054

[nikpivkin]

Track #8054