Skip to content

ECR: attributes are url-encoded #3038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 of 3 tasks
zerkms opened this issue Mar 18, 2025 · 2 comments
Open
2 of 3 tasks

ECR: attributes are url-encoded #3038

zerkms opened this issue Mar 18, 2025 · 2 comments
Labels
feature-request A feature should be added or improved. needs-reproduction This issue needs reproduction. service-api This issue is due to a problem in a service API, not the SDK implementation.

Comments

@zerkms
Copy link

zerkms commented Mar 18, 2025
edited
Loading

Acknowledgements

Describe the bug

ECR image scan findings include ImageScanFinding.Attributes field, that contains arbitrary key values.

The problem is that those key-values are url-encoded.

Eg:

package_name: libxml2
package_version: 2.9.14%2Bdfsg-1.3%7Edeb12u1

See the version contains %7E.

I believe SDK should hide all encoding-decoding from the library user and provide ready to use data.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

package_name: libxml2
package_version: 2.9.14+dfsg-1.3~deb12u1

Current Behavior

package_name: libxml2
package_version: 2.9.14%2Bdfsg-1.3%7Edeb12u1

Reproduction Steps

Obtain image scan findings types.ImageScanFindings and read its Attributes

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2 v1.36.3
github.com/aws/aws-sdk-go-v2/config v1.29.9
github.com/aws/aws-sdk-go-v2/credentials v1.17.62
github.com/aws/aws-sdk-go-v2/service/ecr v1.43.0
github.com/aws/aws-sdk-go-v2/service/sts v1.33.17

Compiler and Version used

1.24.1

Operating System and version

Ubuntu 24
@zerkms zerkms added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 18, 2025
@Madrigal
Copy link
Contributor

Looking at this.

I haven't been able to reproduce this. The image that I have handy doesn't include these packages, and the HTTP response that I see has these attributes as JSON and not URL encoded. Sample (trimmed) HTTP response from ECR

{
    "imageId": {
        "imageDigest": "sha256:xxxxxxxxxx"
    },
    "imageScanFindings": {
        "findingSeverityCounts": {
            "HIGH": 9001,
            "MEDIUM": 9001
        },
        "findings": [{
            "attributes": [{
                "key": "CVSS3_SCORE",
                "value": "7.8"
            }, {
                "key": "CVSS3_VECTOR",
                "value": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
            }, {
                "key": "package_version",
                "value": "6.0.121-135.201.2231"
            }, {
                "key": "package_name",
                "value": "kernel-headers"
            }],
            "description": "Some scary bug",
            "name": "CVE-2020-12345",
            "severity": "HIGH",
            "uri": "https://nvd.nist.gov/vuln/detail/CVE-2020-12345"
        },

Can you print the raw HTTP response that you get? Here's a sample code on how to achieve that

cfg, err := config.LoadDefaultConfig(ctx, config.WithClientLogMode(aws.LogResponseWithBody))
if err != nil {
	log.Fatal("unable to load SDK config", err)
}
client := ecr.NewFromConfig(cfg)

At minimum, we'd like ECR to acknowledge that these fields are encoded on their docs

@Madrigal Madrigal added feature-request A feature should be added or improved. service-api This issue is due to a problem in a service API, not the SDK implementation. needs-reproduction This issue needs reproduction. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 19, 2025
@zerkms
Copy link
Author

zerkms commented Mar 19, 2025
edited
Loading

@Madrigal you have simply chosen a CVE that affects a package that has a version that does not need percent encoding.

Here is a raw response from a aws cli call:

aws ecr describe-image-scan-findings --registry-id <redacted> --repository-name <redacted> --image-id imageTag=<redacted>

            {
                "name": "CVE-2025-27113",
                "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.",
                "uri": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113",
                "severity": "HIGH",
                "attributes": [
                    {
                        "key": "CVSS3_SCORE",
                        "value": "7.5"
                    },
                    {
                        "key": "CVSS3_VECTOR",
                        "value": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                    },
                    {
                        "key": "package_version",
                        "value": "2.9.14%2Bdfsg-1.3%7Edeb12u1"
                    },
                    {
                        "key": "package_name",
                        "value": "libxml2"
                    }
                ]
            },

Interestingly, the API reference DOES NOT describe those as percent encoded https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Attribute.html

So I guess the documentation also have to be fixed.

UPD: oops, I didn't notice you have also provided a link, somehow the last line of your comment got into my blind spot.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. needs-reproduction This issue needs reproduction. service-api This issue is due to a problem in a service API, not the SDK implementation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zerkms @Madrigal