trivy
trivy copied to clipboard
Published
3 weeks ago
•
aquasecurity
aquasecurity
Scan AWS: Adapter error: failed to run adapter for api-gateway
Description
Using the tool to have a scan on AWS I obtain a Warning/Error on the api-gateway check:
Adapter error: failed to run adapter for api-gateway: operation error ApiGatewayV2: GetDomainNames, https response error StatusCode: 200, RequestID: d9729a2a-1a64-493b-898a-c5ca32ad73e0, deserialization failed, failed to decode response body with invalid JSON, expected __timestampIso8601 to be of type string, got json.Number instead
I expect that the results on api-gateway are not reliable. Moreover, all the output said always 0 findings and it's unreliable:
┌───────────────┬──────────────────────────────────────────────────┬──────────────┐
│ │ Misconfigurations │ │
│ ├──────────┬──────────────┬────────┬─────┬─────────┤ │
│ Service │ Critical │ High │ Medium │ Low │ Unknown │ Last Scanned │
├───────────────┼──────────┼──────────────┼────────┼─────┼─────────┼──────────────┤
│ api-gateway │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ athena │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ cloudfront │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ cloudtrail │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ cloudwatch │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ codebuild │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ documentdb │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ dynamodb │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ ec2 │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ ecr │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ ecs │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ efs │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ eks │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ elasticache │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ elasticsearch │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ elb │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ emr │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ iam │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ kinesis │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ kms │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ lambda │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ mq │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ msk │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ neptune │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ rds │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ redshift │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ s3 │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ sns │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ sqs │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ ssm │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
│ workspaces │ 0 │ 0 │ 0 │ 0 │ 0 │ just now │
└───────────────┴──────────┴──────────────┴────────┴─────┴─────────┴──────────────┘
If I check only one service (like --service ec2) I found many findings. So that error seems to break all the output search.
Output of run with -debug:
2022-08-17T16:29:38.352+0200 DEBUG Scanning the following services using the AWS API: [api-gateway, athena, cloudfront, cloudtrail, cloudwatch, codebuild, documentdb, dynamodb, ec2, ecr, ecs, efs, eks, elasticache, elasticsearch, elb, emr, iam, kinesis, kms, lambda, mq, msk, neptune, rds, redshift, s3, sns, sqs, ssm, workspaces]...
2022-08-17T16:29:38.356+0200 DEBUG [defsec] 29:38.356492000 aws-api.scanner.adapt.aws Using region 'eu-west-1'
2022-08-17T16:29:38.356+0200 DEBUG [defsec] 29:38.356523000 aws-api.scanner.adapt.aws Discovering caller identity...
2022-08-17T16:29:38.615+0200 DEBUG [defsec] 29:38.615983000 aws-api.scanner.adapt.aws AWS account ID: ....
2022-08-17T16:29:38.616+0200 DEBUG [defsec] 29:38.616029000 aws-api.scanner.adapt.aws Preparing to run for 31 filtered services...
2022-08-17T16:29:38.616+0200 DEBUG [defsec] 29:38.616047000 aws-api.scanner.adapt.aws Running adapter for api-gateway...
[1/31] Scanning api-gateway...
└╴Adapting v1 domain names... ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ 0% 0/16 ??/s ETA: ??m??s
└╴Adapting v1 APIs... ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ 0% 0/14 1000/s ETA: 00m00s
└╴Discovering v2 domain names... ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ 0% 0/14 449/s ETA: 00m00s
2022-08-17T16:29:39.870+0200 DEBUG [defsec] 29:39.870933000 aws-api.scanner.adapt.aws Error occurred while running adapter for api-gateway: operation error ApiGatewayV2: GetDomainNames, https response error StatusCode: 200, RequestID: ab9ec964-6cf3-4fd9-b4a2-d
This is due to an internal API issue at AWS - see https://github.com/aws/aws-sdk/issues/331
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is now fixed upstream in the aws-sdk, we just need to pull it in via defsec.
This issue is stale because it has been labeled with inactivity.