Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VEX documents not taken into account when --fail-on is set #1639

Closed
ferozsalam opened this issue Dec 18, 2023 · 3 comments · Fixed by #1657
Closed

VEX documents not taken into account when --fail-on is set #1639

ferozsalam opened this issue Dec 18, 2023 · 3 comments · Fixed by #1657
Labels
bug Something isn't working

Comments

@ferozsalam
Copy link
Contributor

What happened:

Using the --fail-on flag doesn't appear to take into account the contents of a VEX document that has been provided using the --vex flag - even if several CVEs have been marked as not_affected in the VEX document, the command still fails when the --fail-on flag is set.

This is inconsistent with the behaviour shown when a .grype.yaml file is used with an ignore block defined, despite VEX documents and the ignore block having similar purposes.

What you expected to happen:

If Grype is invoked with both --vex and --fail-on set, and all CVEs in the scanned image are defined as not_affected in the VEX document, I would expect the command to pass successfully, as it does when all such CVEs are defined in a .grype.yaml ignore block.

How to reproduce it (as minimally and precisely as possible):

Create the following VEX doc and save it as test-vex.json:

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-cb58dca06abcf3da095d3f5e6126128aeb39b145e57d4eac468483eb75b5c014",
  "author": "Unknown Author",
  "timestamp": "2023-12-18T12:00:54.292255Z",
  "last_updated": "2023-12-18T12:01:58.35081Z",
  "version": 4,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2023-42366"
      },
      "timestamp": "2023-12-18T12:00:54.292256Z",
      "products": [
        {
          "@id": "pkg:oci/busybox"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    },
    {
      "vulnerability": {
        "name": "CVE-2023-42365"
      },
      "timestamp": "2023-12-18T12:01:17.799359Z",
      "products": [
        {
          "@id": "pkg:oci/busybox"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    },
    {
      "vulnerability": {
        "name": "CVE-2023-42364"
      },
      "timestamp": "2023-12-18T12:01:41.069995Z",
      "products": [
        {
          "@id": "pkg:oci/busybox"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    },
    {
      "vulnerability": {
        "name": "CVE-2023-42363"
      },
      "timestamp": "2023-12-18T12:01:58.35081Z",
      "products": [
        {
          "@id": "pkg:oci/busybox"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    }
  ]
}

Using the --vex flag with the JSON file above to filter out the CVEs works as expected:

➜  ~ grype busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3 --vex test-vex.json
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                     busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3
 ✔ Parsed image                                                                    sha256:a6969cfac53d7d994eabab99ef8080b8495ae7ddd34731128718316797c2244b
 ✔ Cataloged packages              [1 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 4 not-fixed, 4 ignored
No vulnerabilities found

However, if you set the --fail-on flag, the --vex flag is ignored and the vulnerabilities reappear.

➜  ~ grype busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3 --vex test-vex.json --fail-on medium
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                     busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3
 ✔ Parsed image                                                                    sha256:a6969cfac53d7d994eabab99ef8080b8495ae7ddd34731128718316797c2244b
 ✔ Cataloged packages              [1 packages]
 ✘ Scan for vulnerabilities        [4 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 4 not-fixed, 0 ignored
NAME     INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY
busybox  1.36.1               binary  CVE-2023-42366  Medium
busybox  1.36.1               binary  CVE-2023-42365  Medium
busybox  1.36.1               binary  CVE-2023-42364  Medium
busybox  1.36.1               binary  CVE-2023-42363  Medium
1 error occurred:
        * discovered vulnerabilities at or above the severity threshold

However, if a .grype.yaml is created with the same CVEs listed in an ignore block, those CVEs are ignored. Create a .grype.yaml with the following:

ignore:
- vulnerability: CVE-2023-42366
- vulnerability: CVE-2023-42365
- vulnerability: CVE-2023-42364
- vulnerability: CVE-2023-42363

And then invoke Grype with --fail-on set:

➜  ~ grype busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3 --fail-on medium
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                     busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3
 ✔ Parsed image                                                                    sha256:a6969cfac53d7d994eabab99ef8080b8495ae7ddd34731128718316797c2244b
 ✔ Cataloged packages              [1 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 4 not-fixed, 0 ignored
No vulnerabilities found

cc @puerco

Environment:

  • Output of grype version:
➜  ~ grype version
Application:         grype
Version:             0.73.4
BuildDate:           2023-11-30T14:32:13Z
GitCommit:           a4bced160291e81dbdeaa415d20e64b8741ee00d
GitDescription:      v0.73.4
Platform:            darwin/arm64
GoVersion:           go1.21.4
Compiler:            gc
Syft Version:        v0.98.0
Supported DB Schema: 5
  • OS (e.g: cat /etc/os-release or similar):
    MacOS Ventura 13.6.3
@ferozsalam ferozsalam added the bug Something isn't working label Dec 18, 2023
@tgerla
Copy link
Contributor

tgerla commented Dec 21, 2023

Hi @ferozsalam, thanks for the report! We will take a look.

@ferozsalam
Copy link
Contributor Author

Hey @tgerla if the team agrees that this is a bug and that the correct behaviour should be as described in 'What you expected to happen', then I'm happy to take a look at fixing this myself.

@tgerla
Copy link
Contributor

tgerla commented Jan 4, 2024

Hi @ferozsalam, that would be excellent. Yes, we agree that this is a bug and your described behavior is probably the right approach. If you need any guidance or anything, just let us know here or in our community Slack and we can help you out. Thanks much!

@ferozsalam ferozsalam mentioned this issue Jan 14, 2024
Merged
@Porkepix Porkepix mentioned this issue Jan 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: take VEX docs into account when --fail-on is set ferozsalam/grype
2 participants
@tgerla @ferozsalam