Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws ecr describe-image-scan-findings with no recommendations #8677

Open
oallauddin opened this issue May 10, 2024 · 3 comments
Open

aws ecr describe-image-scan-findings with no recommendations #8677

oallauddin opened this issue May 10, 2024 · 3 comments
Assignees
@tim-finnigan
Labels
bug This issue is a bug. ecr p2 This is a standard priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. service-api This issue is due to a problem in a service API, not the SDK implementation.

Comments

@oallauddin
Copy link

Describe the bug

aws ecr describe-image-scan-findings is not returning the recommendations that are in AWS Inspector.

Expected Behavior

Recommendations would match what is in AWS Inspector.
aws_inspector_info

Current Behavior

Recommendations always come back as None Provided for all findings.
aws_cli_response

Reproduction Steps

ECR repository in us-gov-west-1 with enhanced scanning and continuous scanning enabled.

aws ecr describe-image-scan-findings --repository-name namespace/repo-name --image-id imageTag=1.0.0 | jq -rc '.imageScanFindings.enhancedFindings | .[].remediation'

{"recommendation":{"text":"None Provided"}}
{"recommendation":{"text":"None Provided"}}
{"recommendation":{"text":"None Provided"}}
{"recommendation":{"text":"None Provided"}}

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.14.5 Python/3.9.16 Linux/5.15.146.1-microsoft-standard-WSL2 source/x86_64.amzn.2023 prompt/off

Environment details (OS name and version, etc.)

Amazon Linux 2023 WSL2
@oallauddin oallauddin added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 10, 2024
@tim-finnigan tim-finnigan self-assigned this May 15, 2024
@tim-finnigan tim-finnigan added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label May 15, 2024
@tim-finnigan
Copy link
Contributor

Hi @oallauddin thanks for reaching out. The AWS CLI describe-image-scan-findings involves a call to the underlying DescribeImageScanFindings API. Therefore this issue relates to the API results rather than the CLI directly.

In the Response Syntax for the API it shows results for findings in addition to enhancedFindings. Do the results you're expecting show up there?

Or if there is an inconsistency between the console and API results, can you also confirm that you're using the same account for both?

@tim-finnigan tim-finnigan added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. service-api This issue is due to a problem in a service API, not the SDK implementation. ecr p2 This is a standard priority issue and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-triage This issue or PR still needs to be triaged. labels May 15, 2024
@oallauddin
Copy link
Author

Hi @tim-finnigan ,
Yes. I am using the same AWS account for both.
There is inconsistency between the AWS console and API results.
The recommendation text in the API response appears to be the only thing not matching the AWS console.
All findings in the API response have a recommendation text of "None Provided".

Our ECR registry is using enhanced scanning.
I am trying to pull and display the recommendation text for each AWS inspector finding.
The API response returns an array of EnhancedImageScanning objects (enhancedFindings) when using enhanced scanning.
The Remediation and Recommendation objects are only available in an EnhancedImageScanning object.
https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_EnhancedImageScanFinding.html
https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Remediation.html
https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Recommendation.html

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 16, 2024
@tim-finnigan
Copy link
Contributor

Thanks for confirming. I think we will need to reach out to the ECR team regarding this issue, as they own the underlying APIs. Before forwarding this to them, could you just provide your debug logs (with sensitive info redacted) by adding--debug to the command? That could help with further investigation and understanding of the issue.

@tim-finnigan tim-finnigan added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tim-finnigan tim-finnigan

Labels
bug This issue is a bug. ecr p2 This is a standard priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. service-api This issue is due to a problem in a service API, not the SDK implementation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oallauddin @tim-finnigan