Add support for Mariner distribution

[eric-desrochers]

What happened:
Although Mariner (https://github.com/Microsoft/CBL-Mariner) seems to be in the support distro list:
https://github.com/anchore/grype/blob/main/grype/distro/type.go#L11-L27

The vulnerability scan doesn't work.

What you expected to happen:
We expect Grype to detect CVEs for Mariner container.

How to reproduce it (as minimally and precisely as possible):

[Latest available Mariner 2.0 container image]
$ grype mcr.microsoft.com/cbl-mariner/base/core:2.0
✔ Vulnerability DB        [updated]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages      [70 packages]
✔ Scanning image...       [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found

[Our first public GA Mariner 2.0 container image] This one should have reported tons of CVEs, proving it doesn’t support Mariner 2.0 out of the box.
$ sudo grype mcr.microsoft.com/cbl-mariner/base/core:2.0.20220426
✔ Vulnerability DB        [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages      [67 packages]
✔ Scanning image...       [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found

Anything else we need to know?:
Our core container image:
mcr.microsoft.com/cbl-mariner/base/core:2.0

Oval file:
https://raw.githubusercontent.com/microsoft/CBL-MarinerVulnerabilityData/main/cbl-mariner-2.0-oval.xml

Environment:

• Output of grype version:
  [0000] INFO grype version: 0.61.0
• OS (e.g: cat /etc/os-release or similar):

# cat /etc/os-release
NAME="Common Base Linux Mariner"
VERSION="2.0.20230321"
ID=mariner
VERSION_ID="2.0"
PRETTY_NAME="CBL-Mariner/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://aka.ms/cbl-mariner"
BUG_REPORT_URL="https://aka.ms/cbl-mariner"
SUPPORT_URL="https://aka.ms/cbl-mariner"

[tgerla]

Hi @eric-desrochers, thanks for the report. The reason why we aren't picking up any vulnerabilities here is because although we do have basic support to identify the Mariner distribution, we don't have any of Mariner's vulnerability data in the Grype database.

Vunnel ("vulnerability funnel", a tool we just released) will need to have support added to parse the Mariner vulnerability database. Once that's done and integrated into our nightly database maintenance process, then we should be able to detect those vulnerabilities.

We can add this issue to our backlog, but if you'd like to tackle this project before we get to it, please let us know and we can point you in the right direction. The best place to start will probably be the Vunnel docs here:

https://github.com/anchore/vunnel/blob/main/README.md
https://github.com/anchore/vunnel/blob/main/DEVELOPING.md

And we have built a very simple example provider to get people started implementing a new data source: https://github.com/anchore/vunnel/blob/main/example/README.md

We think the Oval file you linked in this issue will be the right place to start ingesting vulnerability data in Vunnel.

Cc: @westonsteimel

[eric-desrochers]

Thanks @tgerla for the quick update.
I'll relay the information to @bcombs-msft for the continuity of the discussion.

[willmurphyscode]

Hi @eric-desrochers,

We've started working on this, but wanted to confirm the correct download link, since we'll be downloading new data nightly. Is https://raw.githubusercontent.com/microsoft/CBL-MarinerVulnerabilityData/main/cbl-mariner-2.0-oval.xml the right link, or is there another CDN for this data?

Also, we noticed that there's a 1.0 and 2.0 of the xml file. I assume those report vulnerabilities in 1.0 and 2.0 of the Mariner distro respectively? Is there a place where we can query which versions of mariner we should expect to find an OVAL XML file for?

We were also wondering whether this OVAL XML is the final format, or whether this format is still in flux?

[eric-desrochers]

Hi @eric-desrochers,

We've started working on this, but wanted to confirm the correct download link, since we'll be downloading new data nightly. Is https://raw.githubusercontent.com/microsoft/CBL-MarinerVulnerabilityData/main/cbl-mariner-2.0-oval.xml the right link, or is there another CDN for this data?

That's right, the link to our Mariner 2.0 OVAL file to use as a data source:
https://raw.githubusercontent.com/microsoft/CBL-MarinerVulnerabilityData/main/cbl-mariner-2.0-oval.xml

Also, we noticed that there's a 1.0 and 2.0 of the xml file. I assume those report vulnerabilities in 1.0 and 2.0 of the Mariner distro respectively?

Your assumption is correct. Please ignore Mariner 1.0 as it will reach EOL in July. Let's only focus on Mariner 2.0 support.

Is there a place where we can query which versions of mariner we should expect to find an OVAL XML file for?

What version of Mariner or what version of Mariner's binary packages ?

We were also wondering whether this OVAL XML is the final format, or whether this format is still in flux?

This is the final OVAL file format. Other scanning vendor are using it.

[eric-desrochers]

The support is already found in syft codebase if it help as a reference:
https://github.com/anchore/syft/pulls?q=is%3Apr+mariner+is%3Aclosed

[willmurphyscode]

Thanks for the quick answers @eric-desrochers !

What version of Mariner or what version of Mariner's binary packages ?

I was wondering whether there's a list of valid mariner versions somewhere. For example, there are 1.0 and 2.0 XML files in the repo, but apparently 1.0 is almost EOL. Are there other versions of Mariner, or will there be in the future? Is there a way to programmatically know which ones we should try to download vulnerabilities for?

[eric-desrochers]

To answer your question we are only releasing Major Release.
The current formula that we are using for Major Release is "X.0" where we increment X at each release.
New Major releases occurs (that is subject to change) every 2-3 years as we speak.

• 1.0 is on the sunset path.
• For now the focus is only on 2.0.
• We will have 3.0 in the future.

[willmurphyscode]

We are about to release the PRs linked above, but we just learned that Mariner Linux has been renamed to Azure Linux. Since we haven't released this yet, we thought it might be a good idea to stop and rename it, so that we release once under the long-term name, rather than having to release a rename later. But we have a couple of questions:

1. Will the ID field in /etc/os-release change in later releases of Mariner/Azure?
2. Will the GitHub repo at https://github.com/microsoft/CBL-MarinerVulnerabilityData be renamed?
3. Anything else we should know about this rename?

[eric-desrochers]

We are about to release the PRs linked above, but we just learned that Mariner Linux has been renamed to Azure Linux. Since we haven't released this yet, we thought it might be a good idea to stop and rename it, so that we release once under the long-term name, rather than having to release a rename later. But we have a couple of questions:

1. Will the ID field in /etc/os-release change in later releases of Mariner/Azure?

Definitely not in Mariner 2.0 lifetime. Possibly in 3.0 release. @bcombs-msft will keep you posted.

2. Will the GitHub repo at https://github.com/microsoft/CBL-MarinerVulnerabilityData be renamed?

Definitely not in Mariner 2.0 lifetime. Possibly in 3.0 release. @bcombs-msft will keep you posted.

3. Anything else we should know about this rename?

It is only for AKS Container host that Mariner has been rebranded but /etc/os-release remains the same anyway, so as our other artifacts (Container/VM) will remain as is for now at least for Mariner 2.0 lifetime.

[willmurphyscode]

Thanks for the quick answers!

We have added the Mariner Linux vulnerability feed to vunnel, and grype has picked it up. Example run against Mariner 2.0 (grype command from first comment on this issue):

❯ grype mcr.microsoft.com/cbl-mariner/base/core:2.0
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [70 packages]
 ✔ Scanning image...       [10 vulnerabilities]
   ├── 1 critical, 7 high, 2 medium, 0 low, 0 negligible
   └── 1 fixed

NAME          INSTALLED     FIXED-IN     TYPE  VULNERABILITY   SEVERITY
glibc         2.35-3.cm2                 rpm   CVE-2010-4756   Medium
glibc         2.35-3.cm2                 rpm   CVE-2021-3998   High
glibc         2.35-3.cm2                 rpm   CVE-2023-0687   Critical
libgcc        11.2.0-4.cm2               rpm   CVE-2022-41724  High
libgcc        11.2.0-4.cm2               rpm   CVE-2022-41725  High
libstdc++     11.2.0-4.cm2               rpm   CVE-2022-41724  High
libstdc++     11.2.0-4.cm2               rpm   CVE-2022-41725  High
lua-libs      5.4.3-5.cm2                rpm   CVE-2021-44964  Medium
ncurses-libs  6.3-2.cm2     0:6.4-1.cm2  rpm   CVE-2023-29491  High
nghttp2       1.46.0-2.cm2               rpm   CVE-2021-46023  High

I'm going to close this, since I believe it's fully implemented, but please let us know if anything is still missing.

[eric-desrochers]

What version of grype will officially support Mariner 2.0 ?
Will you have any public documentation about it ?

[willmurphyscode]

The current version of grype (0.62.0) and later support Mariner, since grype will use available data from vunnel, and Mariner support was added to vunnel in anchore/vunnel#181. There aren't any public docs yet, but we'll update here when there are.

[eric-desrochers]

Do you have any update on the public documentation ?

[spiffcs]

👋 Hey @eric-desrochers!

I've made a quick PR that adds mariner to our README which shows it as an officially supported distrobution
https://github.com/anchore/grype/pull/1569/files

Here is a quick screenshot that shows grype now working with the image you provided at the top of this issue:

If you want more coverage or had something else in mind let me know and we can workshop to get it added =)