fix(sarif): check url before converting to string

[nikpivkin]

If the url is invalid, we log this and return nil. Further operations with such url may cause panic.

Discussed in #8150

^{Originally posted by natenho December 21, 2024}

Description

Hello, the latest trivy version is returning an error when generating sarif file.

Desired Behavior

No error

Actual Behavior

+ wget https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh -O - | sh -s -- -b /usr/local/bin latest
Connecting to [raw.githubusercontent.com](http://raw.githubusercontent.com/) (185.199.109.133:443)
writing to stdout
-                    100% |********************************| 10578  0:00:00 ETA
written to stdout
aquasecurity/trivy info checking GitHub for tag 'latest'
aquasecurity/trivy info found version: 0.58.0 for v0.58.0/Linux/64bit
aquasecurity/trivy info installed /usr/local/bin/trivy

+ trivy fs --scanners vuln,misconfig $TRIVY_ARGS . || export TRIVY_FAILED=$?
2024-12-20T23:51:50Z	INFO	[vulndb] Need to update DB
2024-12-20T23:51:50Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-20T23:51:50Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
27.53 MiB / 57.88 MiB [----------------------------->_______________________________] 47.56% ? p/s ?57.88 MiB / 57.88 MiB [----------------------------------------------------------->] 100.00% ? p/s ?57.88 MiB / 57.88 MiB [----------------------------------------------------------->] 100.00% ? p/s ?57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 50.57 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 50.57 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 50.57 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 47.31 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 47.31 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 47.31 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 44.26 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 44.26 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 44.26 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 41.40 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 41.40 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 41.40 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [---------------------------------------------->] 100.00% 38.73 MiB p/s ETA 0s57.88 MiB / 57.88 MiB [-------------------------------------------------] 100.00% 18.23 MiB p/s 3.4s2024-12-20T23:51:54Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T23:51:54Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T23:51:54Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-20T23:51:54Z	INFO	[misconfig] Need to update the built-in checks
2024-12-20T23:51:54Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-20T23:51:59Z	INFO	[terraform scanner] Scanning root module	file_path="terraform"
2024-12-20T23:51:59Z	INFO	[terraform scanner] Scanning root module	file_path="terraform-ecr"
2024-12-20T23:52:00Z	INFO	Number of language-specific files	num=1
2024-12-20T23:52:00Z	INFO	[gomod] Detecting vulnerabilities...
2024-12-20T23:52:00Z	INFO	Detected config files	num=7
2024-12-20T23:52:00Z	ERROR	[sarif] Unable to parse URI	URI="[email protected]:REDACTED/REDACTED.git/terraform?ref=1.8.4/terraform/.terraform/modules/aws_ecs_app/terraform/sg.tf" err="parse \"[email protected]:REDACTED/REDACTED.git/terraform?ref=1.8.4/terraform/.terraform/modules/aws_ecs_app/terraform/sg.tf\": first path segment in URL cannot contain colon"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x5d8714]
goroutine 1 [running]:
net/url.(*URL).String(0x0)
	/opt/hostedtoolcache/go/1.22.9/x64/src/net/url/url.go:817 +0x34
github.com/aquasecurity/trivy/pkg/report.(*SarifWriter).addSarifResult(0xc00f4aca00, 0xc00f4e61c0)
	/home/runner/work/trivy/trivy/pkg/report/sarif.go:114 +0x30f
github.com/aquasecurity/trivy/pkg/report.(*SarifWriter).Write(_, {_, _}, {0x2, {0xc1d19ea814fa667b, 0x238b6ae57, 0x820f0a0}, {0x7ffd3e0e7429, 0x1}, {0x47c4e65, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/report/sarif.go:186 +0x13a5
github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0xc1d19ea814fa667b, 0x238b6ae57, 0x820f0a0}, {0x7ffd3e0e7429, 0x1}, {0x47c4e65, 0xa}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/report/writer.go:102 +0x8e6
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).Report(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:276 +0x92
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc000873950, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:395 +0xc4e
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc0009d5508, {0xc000424a50, 0x1, 0xf})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc0009d5508, {0xc000424960, 0xf, 0xf})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc0009d4f08)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f

Reproduction Steps

export TRIVY_ARGS="--ignorefile ./.trivyignore.yml --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --severity HIGH,CRITICAL --exit-code 1 --format sarif -o trivy.sarif"
trivy fs --scanners vuln,misconfig $TRIVY_ARGS .

### Target

Git Repository

### Scanner

Misconfiguration

### Output Format

SARIF

### Mode

Standalone

### Debug Output

```bash
--

Operating System

Linux (bitbucket CI/CD)

Version

0.58.0 for v0.58.0/Linux/64bit

Checklist

• Run trivy clean --all
• Read the troubleshooting

[rperez-fo]

this was fixed for github.com repos

#7898

Similar fix will need to be done for bitbucket repos

[rperez-fo]

PR: #8399