aws ecr describe-image-scan-findings with no recommendations about aws-cli HOT 6 CLOSED

Hi @oallauddin thanks for reaching out. The AWS CLI describe-image-scan-findings involves a call to the underlying DescribeImageScanFindings API. Therefore this issue relates to the API results rather than the CLI directly.

In the Response Syntax for the API it shows results for findings in addition to enhancedFindings. Do the results you're expecting show up there?

Or if there is an inconsistency between the console and API results, can you also confirm that you're using the same account for both?

from aws-cli.

Hi @tim-finnigan ,
Yes. I am using the same AWS account for both.
There is inconsistency between the AWS console and API results.
The recommendation text in the API response appears to be the only thing not matching the AWS console.
All findings in the API response have a recommendation text of "None Provided".

Our ECR registry is using enhanced scanning.
I am trying to pull and display the recommendation text for each AWS inspector finding.
The API response returns an array of EnhancedImageScanning objects (enhancedFindings) when using enhanced scanning.
The Remediation and Recommendation objects are only available in an EnhancedImageScanning object.
https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_EnhancedImageScanFinding.html
https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Remediation.html
https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Recommendation.html

from aws-cli.

Thanks for confirming. I think we will need to reach out to the ECR team regarding this issue, as they own the underlying APIs. Before forwarding this to them, could you just provide your debug logs (with sensitive info redacted) by adding--debug to the command? That could help with further investigation and understanding of the issue.

from aws-cli.

I reached out to AWS admins and they have started AWS support issue.

from aws-cli.

I am going to close this issue since it not AWS CLI related and is an issue with the API.
For the moment it appears we will have to use inspector2 list-findings.
AWS support is stilling looking into why the Remediation recommendation is always "None Provided".
AWS support is reaching out to the ECR and Inspector teams.
aws inspector2 list-findings --filter-criteria '{"ecrImageRepositoryName":[{"comparison":"EQUALS","value":"image-namespace/image-name"}],"ecrImageTags":[{"comparison":"EQUALS","value":"1.0.0"}]}'

The Inspector API version of the VulnerablePackage object seems to be the only way to get remediation information for a vulnerability at the moment.
Inspector API
https://docs.aws.amazon.com/inspector/v2/APIReference/API_VulnerablePackage.html
ECR API
https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_VulnerablePackage.html

Remediation object in both Inspector API and ECR API appears to always have recommendation value of "None Provided".
Inspector API
https://docs.aws.amazon.com/inspector/v2/APIReference/API_Remediation.html
ECR API
https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Remediation.html

from aws-cli.

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

from aws-cli.