Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AAD report error due to invalid JSON result #1607

Open
Strawberryww opened this issue Mar 3, 2025 · 3 comments
Open

AAD report error due to invalid JSON result #1607

Strawberryww opened this issue Mar 3, 2025 · 3 comments
Assignees
@mitchelbaker-cisa
Labels
bug This issue or pull request addresses broken functionality public-reported This issue is reported by the public users of the tool.
Milestone
Marlin

Comments

@Strawberryww
Copy link

🐛 Summary

When using ScubaGear 1.5.0 to scan AAD, it reports the following error:

unable to parse input: yaml: line 12: found unknown escape character
Fatal Error involving the Report Creation.                                                                                           Ending ScubaGear execution. Error: Invalid JSON primitive: .

at New-Report, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\CreateReport\CreateReport.psm1: line 66
at Invoke-ReportCreation<Process>, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 1277
at Invoke-SCuBA<Process>, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 440
at <ScriptBlock>, <No file>: line 1
At C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1:1371 char:13
+             throw $InvokeReportErrorMessage
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Fatal Error inv...o file>: line 1:String) [], RuntimeException
    + FullyQualifiedErrorId : Fatal Error involving the Report Creation.
            Ending ScubaGear execution. Error: Invalid JSON primitive: .

at New-Report, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\CreateReport\CreateReport.psm1: line 66
at Invoke-ReportCreation<Process>, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 1277
at Invoke-SCuBA<Process>, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 440
at <ScriptBlock>, <No file>: line 1

To reproduce

My Azure tenant can always reproduces the error, but another tenant is OK.

The invoke command is as below:

Invoke-SCuBA -ProductNames aad -CertificateThumbprint "<Thumbprint>" -AppID "<AppId>" -Organization <Org> -Outpath <outputPath>

Env:
ScubaGear: 1.5.0
Powershell: 5.1.19041.5369
Windows 10 Pro: 10.0.19045 N/A Build 19045

Expected behavior

There should be no such error.

Any helpful log output or screenshots

The generated JSON result is as below:

    ...
    "risky_third_party_service_principals": ,
    "aad_successful_commands": [
    "Get-MgBetaIdentityConditionalAccessPolicy",
    "Get-MgBetaSubscribedSku",
    "Get-PrivilegedUser",
    "Get-PrivilegedRole",
    "Get-MgBetaUserCount",
    ...

The risky_third_party_service_principals field is missing its value.

Image

Image

Possibly the error is related to the following code in PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1:

Image

Error in PowerShell:

Image
@mitchelbaker-cisa mitchelbaker-cisa self-assigned this Mar 3, 2025
@mitchelbaker-cisa mitchelbaker-cisa added this to the Marlin milestone Mar 3, 2025
@mitchelbaker-cisa mitchelbaker-cisa added bug This issue or pull request addresses broken functionality public-reported This issue is reported by the public users of the tool. labels Mar 3, 2025
@mitchelbaker-cisa
Copy link
Collaborator

mitchelbaker-cisa commented Mar 3, 2025
edited
Loading

Hey @Strawberryww, thanks for reporting this issue. We have replicated the bug and are looking into a fix. Are you seeing any results for the risky_applications object above risky_third_party_service_principals?

@Strawberryww
Copy link
Author

@mitchelbaker-cisa Thanks. Yes, there is result for the risky_applications object above risky_third_party_service_principals:

Image

@mitchelbaker-cisa
Copy link
Collaborator

I created a new branch that adds additional error handling to the Format-RiskyThirdPartyServicePrincipals function. The issue seems to stem from the function returning @($null), which PowerShell internally converts to $null. The null value is handled as an invalid JSON primitive when we generate the ScubaResults.json file, resulting in the error message you have attached above.

Do you mind downloading a zip of the new branch to test out the fix? It can be found here:
https://github.com/cisagov/ScubaGear/archive/refs/heads/1607-risky-sps-invalid-json.zip

After importing it in a new PowerShell terminal, run Import-Module .\PowerShell\ScubaGear, then run ScubaGear in either interactive/noninteractive mode, the Entra ID report should generate correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchelbaker-cisa mitchelbaker-cisa

Labels
bug This issue or pull request addresses broken functionality public-reported This issue is reported by the public users of the tool.
Projects
None yet
Milestone
Marlin
Development

No branches or pull requests
2 participants
@Strawberryww @mitchelbaker-cisa