bug(template): Message field not escaped in asff.tpl

[DmitriyLewen]

Discussed in #7391

^{Originally posted by aliaksxssv August 26, 2024}

Description

ASFF report contains a Message field with double quotes inside the value. This makes using jq impossible as it causes error:

parse error: Invalid numeric literal at line XXXX, column XXXX

We need jq to adjust report before submitting to the AWS SecurityHub:

$ cat trivy_raw.asff | jq '.Findings' > trivy_sechub.asff

ASFF report snippet:

"ProductFields": { "Product Name": "Trivy" }, "Resources": [ { "Type": "Other", "Id": "templates/cronjob.yaml", "Partition": "aws", "Region": "", "Details": { "Other": { "Message": "container "helm-cronjob" of cronjob "helm-cronjob" in "default" namespace should specify a seccomp profile", "Filename": "templates/cronjob.yaml", "StartLine": "0", "EndLine": "0" } } } ], "RecordState": "ACTIVE"

Desired Behavior

escape function should be applied as it was done before for the Title field

"Message": "{{ escapeString .Message }}"

Actual Behavior

No escape function

"Message": "{{ .Message }}"

Reproduction Steps

just create trivy report using asff template

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

n/a

Operating System

any

Version

0.54.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

We usually use '.
But it looks like KSV104 uses ".
@simar7 @nikpivkin you might want to change that.