aws
ECR: attributes are url-encoded
Acknowledgements
- [x] I have searched (https://github.com/aws/aws-sdk/issues?q=is%3Aissue) for past instances of this issue
- [x] I have verified all of my SDK modules are up-to-date (you can perform a bulk update with
go get -u github.com/aws/aws-sdk-go-v2/...)
Describe the bug
ECR image scan findings include ImageScanFinding.Attributes field, that contains arbitrary key values.
The problem is that those key-values are url-encoded.
Eg:
package_name: libxml2
package_version: 2.9.14%2Bdfsg-1.3%7Edeb12u1
See the version contains %7E.
I believe SDK should hide all encoding-decoding from the library user and provide ready to use data.
Regression Issue
- [ ] Select this option if this issue appears to be a regression.
Expected Behavior
package_name: libxml2
package_version: 2.9.14+dfsg-1.3~deb12u1
Current Behavior
package_name: libxml2
package_version: 2.9.14%2Bdfsg-1.3%7Edeb12u1
Reproduction Steps
Obtain image scan findings types.ImageScanFindings and read its Attributes
Possible Solution
No response
Additional Information/Context
No response
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2 v1.36.3
github.com/aws/aws-sdk-go-v2/config v1.29.9
github.com/aws/aws-sdk-go-v2/credentials v1.17.62
github.com/aws/aws-sdk-go-v2/service/ecr v1.43.0
github.com/aws/aws-sdk-go-v2/service/sts v1.33.17
Compiler and Version used
1.24.1
Operating System and version
Ubuntu 24
Looking at this.
I haven't been able to reproduce this. The image that I have handy doesn't include these packages, and the HTTP response that I see has these attributes as JSON and not URL encoded. Sample (trimmed) HTTP response from ECR
{
"imageId": {
"imageDigest": "sha256:xxxxxxxxxx"
},
"imageScanFindings": {
"findingSeverityCounts": {
"HIGH": 9001,
"MEDIUM": 9001
},
"findings": [{
"attributes": [{
"key": "CVSS3_SCORE",
"value": "7.8"
}, {
"key": "CVSS3_VECTOR",
"value": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}, {
"key": "package_version",
"value": "6.0.121-135.201.2231"
}, {
"key": "package_name",
"value": "kernel-headers"
}],
"description": "Some scary bug",
"name": "CVE-2020-12345",
"severity": "HIGH",
"uri": "https://nvd.nist.gov/vuln/detail/CVE-2020-12345"
},
Can you print the raw HTTP response that you get? Here's a sample code on how to achieve that
cfg, err := config.LoadDefaultConfig(ctx, config.WithClientLogMode(aws.LogResponseWithBody))
if err != nil {
log.Fatal("unable to load SDK config", err)
}
client := ecr.NewFromConfig(cfg)
At minimum, we'd like ECR to acknowledge that these fields are encoded on their docs
@Madrigal you have simply chosen a CVE that affects a package that has a version that does not need percent encoding.
Here is a raw response from a aws cli call:
aws ecr describe-image-scan-findings --registry-id <redacted> --repository-name <redacted> --image-id imageTag=<redacted>
{
"name": "CVE-2025-27113",
"description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.",
"uri": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113",
"severity": "HIGH",
"attributes": [
{
"key": "CVSS3_SCORE",
"value": "7.5"
},
{
"key": "CVSS3_VECTOR",
"value": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"key": "package_version",
"value": "2.9.14%2Bdfsg-1.3%7Edeb12u1"
},
{
"key": "package_name",
"value": "libxml2"
}
]
},
Interestingly, the API reference DOES NOT describe those as percent encoded https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Attribute.html
So I guess the documentation also have to be fixed.
UPD: oops, I didn't notice you have also provided a link, somehow the last line of your comment got into my blind spot.