prisma-cloud-scan icon indicating copy to clipboard operation
prisma-cloud-scan copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Sarif Upload Step Fails

Open trevsecops opened this issue 1 year ago • 3 comments

Describe the bug

I've found that if change the scan workflow from the out of box format its provided I run into the following issue:

Uploading results Processing sarif files: ["pcc_scan_results.sarif.json"] Uploading results Successfully uploaded results Waiting for processing to finish Analysis upload status is pending. Analysis upload status is failed. Error: Code Scanning could not process the submitted SARIF file: SARIF URI scheme "csbase-ubuntu" did not match the checkout URI scheme "file" Error: Code Scanning could not process the submitted SARIF file: SARIF URI scheme "csbase-ubuntu" did not match the checkout URI scheme "file" at Object.waitForProcessing (/home/ubuntu/actions-runner/_work/_actions/github/codeql-action/v2/lib/upload-lib.js:337:23) at async run (/home/ubuntu/actions-runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:57:13) at async runWrapper (/home/ubuntu/actions-runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:72:9)

Here's a sample of what I attempted:

  • name: Prisma Cloud image scan id: scan-ubuntu uses: PaloAltoNetworks/[email protected] with: pcc_console_url: ${{ secrets.PCC_CONSOLE_URL }} pcc_user: ${{ secrets.PCC_USER }} pcc_pass: ${{ secrets.PCC_PASS }} image_name: ${{ env.UBUNTU_IMAGE_NAME }}:${{ env.IMAGE_TAG }}

    (Optional) for compatibility with GitHub's code scanning alerts

    • name: Upload SARIF file if: ${{ always() }} # necessary if using failure thresholds in the image scan uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.scan-ubuntu.outputs.sarif_file }}

Here's a sample of the SARIF File contents:

{"$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"Prisma Cloud (twistcli)","version":"31.00.129","rules":[{"id":"41","shortDescription":{"text":"[Prisma Cloud] Compliance check 41 violated (high)"},"fullDescription":{"text":"High severity compliance check "(CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user" violated"},"help":{"text":"","markdown":"| Compliance Check | Severity | Title |\n| --- | --- | --- |\n| 41 | high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |"},"properties":{"security-severity":"8.9"}}]}},"results":[{"ruleId":"41","level":"warning","message":{"text":"Description:\nIt is a good practice to run the container as a non-root user, if possible. Though user\nnamespace mapping is now available, if a user is already defined in the container image, the\ncontainer is run as that user by default and specific user namespace remapping is not\nrequired"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"csbase-ubuntu:4bd4745c7b8b704a6023cd3c09084cf787e2ce40"},"region":{"startLine":1,"startColumn":1,"endLine":1,"endColumn":1}}}]}]}]}

trevsecops avatar Sep 07 '23 21:09 trevsecops

:tada: Thanks for opening your first issue here! Welcome to the community!

welcome-to-palo-alto-networks[bot] avatar Sep 07 '23 21:09 welcome-to-palo-alto-networks[bot]

HI Team,

We are also facing same issue after updating it to 1.5 version

karthikboncheruuvu avatar Oct 10 '23 04:10 karthikboncheruuvu

Same for me when scanning ubuntu:latest

2023-12-13T10:44:24.3240672Z ##[error]Code Scanning could not process the submitted SARIF file: SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file", SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file", SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file", SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file", SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file" 2023-12-13T10:44:24.3261063Z InvalidRequestError: Code Scanning could not process the submitted SARIF file: 2023-12-13T10:44:24.3269276Z SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file", SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file", SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file", SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file", SARIF URI scheme "ubuntu" did not match the checkout URI scheme "file" 2023-12-13T10:44:24.3279270Z at Object.waitForProcessing (/actions-runner/_work/_actions/github/codeql-action/v2/lib/upload-lib.js:351:23) 2023-12-13T10:44:24.3282961Z at async run (/actions-runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:57:13) 2023-12-13T10:44:24.3287023Z at async runWrapper (/actions-runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:72:9)

here the policy failed because of compliance (non-root) and was not failing due to vulnerabilties. 2023-12-13T10:44:17.2071088Z [1mCompliance found for image ubuntu:latest: total - 1, critical - 0, high - 1, medium - 0, low - 0[0m 2023-12-13T10:44:17.2072104Z [1mCompliance threshold check results: FAIL[0m 2023-12-13T10:44:17.2073944Z [31m[1mScan failed due to compliance policy violations: Default - alert on critical and high, 1 violations[0m[0m 2023-12-13T10:44:17.5881656Z Link to the results in Console: https://app4.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search%3Dsha256%253Ab6548eacb0639263e9d8abfee48f8ac8b327102a05335b67572f715c580a968e 2023-12-13T10:44:17.5887102Z Wrote scan results to pcc_scan_results.json 2023-12-13T10:44:17.6009664Z ##[error]Image scan failed

raoganeshr avatar Dec 13 '23 10:12 raoganeshr