Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(java): don't stop parsing jar file when wrong inner jar is found #2989

Merged
merged 3 commits into from
Oct 11, 2022
Merged

fix(java): don't stop parsing jar file when wrong inner jar is found #2989

merged 3 commits into from
Oct 11, 2022

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Oct 3, 2022
edited
Loading

Description

When we found wrong inner jar - we don't need to stop parsing jar.
We need to create debug message and continue parsing.

Before:

➜ trivy -d rootfs ./test.war
2022-10-03T12:01:02.749+0600	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-10-03T12:01:02.754+0600	DEBUG	cache dir:  /home/dmitriy/.cache/trivy
2022-10-03T12:01:02.754+0600	DEBUG	DB update was skipped because the local DB is the latest
2022-10-03T12:01:02.754+0600	DEBUG	DB Schema: 2, UpdatedAt: 2022-10-03 00:15:44.710356291 +0000 UTC, NextUpdate: 2022-10-03 06:15:44.710355891 +0000 UTC, DownloadedAt: 2022-10-03 04:44:27.506382339 +0000 UTC
2022-10-03T12:01:02.756+0600	INFO	Vulnerability scanning is enabled
2022-10-03T12:01:02.756+0600	DEBUG	Vulnerability type:  [os library]
2022-10-03T12:01:02.756+0600	INFO	Secret scanning is enabled
2022-10-03T12:01:02.756+0600	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-03T12:01:02.756+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-03T12:01:02.756+0600	DEBUG	No secret config detected: trivy-secret.yaml
2022-10-03T12:01:02.758+0600	DEBUG	Parsing Java artifacts...	{"file": "test.war"}
2022-10-03T12:01:02.762+0600	DEBUG	Parsing Java artifacts...	{"file": "WEB-INF/lib/jcprov.jar"}
2022-10-03T12:01:02.762+0600	DEBUG	Analysis error: jar/war/ear/par parse error: failed to parse WEB-INF/lib/jcprov.jar: failed to parse WEB-INF/lib/jcprov.jar: zip error: zip: not a valid zip file
2022-10-03T12:01:02.765+0600	DEBUG	OS is not detected.
2022-10-03T12:01:02.765+0600	DEBUG	Detected OS: unknown
2022-10-03T12:01:02.765+0600	INFO	Number of language-specific files: 0

After:

➜ ./trivy -d rootfs ./test.war
2022-10-03T12:03:06.311+0600	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-10-03T12:03:06.314+0600	DEBUG	cache dir:  /home/dmitriy/.cache/trivy
2022-10-03T12:03:06.314+0600	DEBUG	DB update was skipped because the local DB is the latest
2022-10-03T12:03:06.314+0600	DEBUG	DB Schema: 2, UpdatedAt: 2022-10-03 00:15:44.710356291 +0000 UTC, NextUpdate: 2022-10-03 06:15:44.710355891 +0000 UTC, DownloadedAt: 2022-10-03 04:44:27.506382339 +0000 UTC
2022-10-03T12:03:06.314+0600	INFO	Vulnerability scanning is enabled
2022-10-03T12:03:06.314+0600	DEBUG	Vulnerability type:  [os library]
2022-10-03T12:03:06.314+0600	INFO	Secret scanning is enabled
2022-10-03T12:03:06.314+0600	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-03T12:03:06.314+0600	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-10-03T12:03:06.314+0600	DEBUG	No secret config detected: trivy-secret.yaml
2022-10-03T12:03:06.314+0600	DEBUG	Parsing Java artifacts...	{"file": "test.war"}
2022-10-03T12:03:06.315+0600	DEBUG	Parsing Java artifacts...	{"file": "WEB-INF/lib/jcprov.jar"}
2022-10-03T12:03:06.315+0600	DEBUG	failed to parse WEB-INF/lib/jcprov.jar: failed to parse WEB-INF/lib/jcprov.jar: zip error: zip: not a valid zip file
2022-10-03T12:03:06.319+0600	DEBUG	Parsing Java artifacts...	{"file": "WEB-INF/lib/log4j-api-2.17.0.jar"}
2022-10-03T12:03:06.339+0600	DEBUG	Parsing Java artifacts...	{"file": "WEB-INF/lib/log4j-core-2.17.0.jar"}
2022-10-03T12:03:06.341+0600	DEBUG	Parsing Java artifacts...	{"file": "WEB-INF/lib/log4j-slf4j-impl-2.17.0.jar"}
2022-10-03T12:03:07.274+0600	DEBUG	No such POM in the central repositories	{"file": "test.war"}
2022-10-03T12:03:07.277+0600	DEBUG	OS is not detected.
2022-10-03T12:03:07.277+0600	DEBUG	Detected OS: unknown
2022-10-03T12:03:07.277+0600	INFO	Number of language-specific files: 1
2022-10-03T12:03:07.277+0600	INFO	Detecting jar vulnerabilities...
2022-10-03T12:03:07.277+0600	DEBUG	Detecting library vulnerabilities, type: jar, path: 
2022-10-03T12:03:07.283+0600	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────┐
│                    Library                     │ Vulnerability  │ Severity │ Installed Version │ Fixed Version  │                        Title                        │
├────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-api (test.war)  │ CVE-2021-44832 │ MEDIUM   │ 2.17.0            │ 2.17.1         │ log4j-core: remote code execution via JDBC Appender │
│                                                │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2021-44832          │
├────────────────────────────────────────────────┤                │          │                   ├────────────────┤                                                     │
│ org.apache.logging.log4j:log4j-core (test.war) │                │          │                   │ 2.12.4, 2.17.1 │                                                     │
│                                                │                │          │                   │                │                                                     │
└────────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────┘

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen changed the title refactor(java): write debug message when wrong inner jar is found fix(java): don't stop parsing jar file when wrong inner jar is found Oct 3, 2022
@DmitriyLewen DmitriyLewen self-assigned this Oct 3, 2022
@DmitriyLewen DmitriyLewen marked this pull request as ready for review October 4, 2022 03:57
@knqyf263 knqyf263 merged commit 68f7952 into main Oct 11, 2022
@knqyf263 knqyf263 deleted the refactor/debug-for-wrong-inneg-jar branch October 11, 2022 09:45
@DmitriyLewen DmitriyLewen mentioned this pull request Jan 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

A corrupt JAR file inside a WAR can prevent detections
2 participants
@DmitriyLewen @knqyf263