Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve shortDescription in SARIF reports #3008

Closed
candrews opened this issue Oct 11, 2022 · 0 comments · Fixed by #3009
Closed

Improve shortDescription in SARIF reports #3008

candrews opened this issue Oct 11, 2022 · 0 comments · Fixed by #3009
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@candrews
Copy link
Contributor

SARIF allows a "shortDescription" to be provided:

The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text.

See:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845

Currently, Trivy set the shortDescription to the id of the vulnerability, which is not very readable or understandable.

For example:

{
  "id": "CVE-2020-13844",
  "name": "OsPackageVulnerability",
  "shortDescription": {
    "text": "CVE-2020-13844"
  },
  "fullDescription": {
    "text": "Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \u0026#34;straight-line speculation.\u0026#34;"
  },
  "defaultConfiguration": {
    "level": "warning"
  },
  "helpUri": "https://avd.aquasec.com/nvd/cve-2020-13844",
  "help": {
    "text": "Vulnerability CVE-2020-13844\nSeverity: MEDIUM\nPackage: libstdc++6\nFixed Version: \nLink: [CVE-2020-13844](https://avd.aquasec.com/nvd/cve-2020-13844)\nArm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\"",
    "markdown": "**Vulnerability CVE-2020-13844**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libstdc++6||[CVE-2020-13844](https://avd.aquasec.com/nvd/cve-2020-13844)|\n\nArm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka \"straight-line speculation.\""
  },
  "properties": {
    "precision": "very-high",
    "security-severity": "5.5",
    "tags": [
      "vulnerability",
      "security",
      "MEDIUM"
    ]
  }
}

A shortDescription of CVE-2020-13844 isn't "understandable"

I suggest the vulnerability "title" be used instead, which in this case, would be kernel: ARM straight-line speculation vulnerability
@candrews candrews added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 11, 2022
candrews added a commit to candrews/trivy that referenced this issue Oct 11, 2022
@candrews
feat(reporting): Use understandable value for shortDescription in SAR…
722a4cf 
…IF reports (aquasecurity#3008)

Use the vulnerability title as the value of shortDescription.

> The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text.

See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845
Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews added a commit to candrews/trivy that referenced this issue Oct 11, 2022
@candrews
feat(reporting): Use understandable value for shortDescription in SAR…
c7e61f8 
…IF reports (aquasecurity#3008)

Use the vulnerability title as the value of shortDescription.

> The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text.

See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845
Signed-off-by: Craig Andrews <candrews@integralblue.com>
@candrews candrews mentioned this issue Oct 11, 2022
Merged
6 tasks
candrews added a commit to candrews/trivy that referenced this issue Oct 11, 2022
@candrews
feat(report): Use understandable value for shortDescription in SARIF …
09ee034 
…reports (aquasecurity#3008)

Use the vulnerability title as the value of shortDescription.

> The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text.

See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845
Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews added a commit to candrews/trivy that referenced this issue Oct 11, 2022
@candrews
feat(report): Use understandable value for shortDescription in SARIF …
046983a 
…reports (aquasecurity#3008)

Use the vulnerability title as the value of shortDescription.

> The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text.

See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845
Signed-off-by: Craig Andrews <candrews@integralblue.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(report): Use understandable value for shortDescription in SARIF reports candrews/trivy
1 participant
@candrews