From 85e0139f3255b8f6d4af12d8b5bbcf965a371906 Mon Sep 17 00:00:00 2001 From: rahul2393 Date: Wed, 19 Aug 2020 22:53:04 +0530 Subject: [PATCH] Fix: fullDescription field in SARIF output is not correctly escaped (#605) * Fixed sarif template fullDescription escape * Added fix to other possible places * Added test for escaping character --- contrib/sarif.tpl | 10 +++++----- pkg/report/writer_test.go | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/contrib/sarif.tpl b/contrib/sarif.tpl index f73b7339b8..e8c1d5b66a 100644 --- a/contrib/sarif.tpl +++ b/contrib/sarif.tpl @@ -20,20 +20,20 @@ "id": "[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}", "name": "dockerfile_scan", "shortDescription": { - "text": "{{ .VulnerabilityID }} Package: {{ .PkgName }}" + "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }} }, "fullDescription": { - "text": "{{ endWithPeriod (escapeString .Title) }}" + "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }} }, "help": { - "text": "Vulnerability {{ .VulnerabilityID }}\nSeverity: {{ .Vulnerability.Severity }}\nPackage: {{ .PkgName }}\nInstalled Version: {{ .InstalledVersion }}\nFixed Version: {{ .FixedVersion }}\nLink: [{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})", - "markdown": "**Vulnerability {{ .VulnerabilityID }}**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|{{ .Vulnerability.Severity }}|{{ .PkgName }}|{{ .InstalledVersion }}|{{ .FixedVersion }}|[{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})|\n" + "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](https://nvd.nist.gov/vuln/detail/%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID (.VulnerabilityID | toLower) | printf "%q"}}, + "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](https://nvd.nist.gov/vuln/detail/%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID (.VulnerabilityID | toLower) | printf "%q"}} }, "properties": { "tags": [ "vulnerability", "{{ .Vulnerability.Severity }}", - "{{ .PkgName }}" + {{ .PkgName | printf "%q" }} ], "precision": "very-high" } diff --git a/pkg/report/writer_test.go b/pkg/report/writer_test.go index 7117177560..b6a4095ae1 100644 --- a/pkg/report/writer_test.go +++ b/pkg/report/writer_test.go @@ -237,12 +237,12 @@ func TestReportWriter_Template(t *testing.T) { detectedVulns: []types.DetectedVulnerability{ { VulnerabilityID: "123", - PkgName: "foo", + PkgName: `foo \ test`, InstalledVersion: "1.2.3", FixedVersion: "3.4.5", Vulnerability: dbTypes.Vulnerability{ Title: `gcc: POWER9 "DARN" RNG intrinsic produces repeated output`, - Description: `curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.`, + Description: `curl version curl \X 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.`, Severity: "HIGH", }, }, @@ -258,8 +258,8 @@ func TestReportWriter_Template(t *testing.T) { {{- end -}} {{ range .Vulnerabilities }} - - {{escapeXML .Description | printf "%q" }} + + {{ endWithPeriod (escapeString .Description) | printf "%q" }} {{- end }} @@ -271,8 +271,8 @@ func TestReportWriter_Template(t *testing.T) { - - "curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0." + + "curl version curl \\X 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0." `,