Ignore/add match results based on OpenVEX documents #1397
Conversation
|
for matches that were added due to an |
Ah great idea, this could be useful for both cases. This change is not considering |
cmd/grype/cli/legacy/root.go
Outdated
| ) | ||
|
|
||
| flags.BoolP( | ||
| "vex-filter", "", true, |
There was a problem hiding this comment.
we could probably drop this flag on the first pass (where if the user passes a vex doc then it implicitly filters)
There was a problem hiding this comment.
from the conversation: this was here to enable filtering or enable adding matches based on vex. Since the ignore rules already covered in the application configuration we can try to at least cover the addition of matches based on vex statements:
GRYPE_VEX_ADD=affected,under_investigation # default "", or allow "true" which means just "affected"
So by default grype would filter by default when provided a vex document, but the user would need to opt-into augmenting/adding matches based on vex documents.
There was a problem hiding this comment.
(consider this config example to be not finalized / illustrative)
There was a problem hiding this comment.
OK, we now have the results augmentation feature implemented see my comment below.
|
from an offline conversation:
|
puerco
force-pushed
the
openvex
branch
2 times, most recently
from
4caa03e
to
46354a5
Compare
puerco
force-pushed
the
openvex
branch
3 times, most recently
from
8e3aeaf
to
e1abdfe
Compare
|
@wagoodman @kzantow @willmurphyscode we finally merged the required functionality into the @openvex libraries! This should be ready to run by itself 🎉 Can you enable the CI to run to finish it? |
|
@puerco I think the replace directive will need to be removed before CI runs properly/ |
|
Duh, I rebased and forgot to remove it. The replace is gone but now it is stuck again waiting for approval again, I guess this is because it is my first contribution to the repo :/ |
|
I rebased this PR to the latest release of the OpenVEX libraries. I also fixed a bunch of typos on #1455 to have a previous contribution so that GitHub runs the CI automatically and I don't have to nag you all :) |
|
OK, we now have support for This env var is wired to a When enabled, the current implementation will move any matches that are ignored back to the active result sets when a statement with those vex statuses applies to it. When moved back to the results, the vex processor will add a record with a new openvex matcher and record the parameters used to match and the statement that caused the result to be considered again. Here is a sample from the json output: {
"type": "exact-direct-match",
"matcher": "openvex-matcher",
"searchedBy": {
"Vulnerability": "CVE-2023-1255",
"Product": "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
"Subcomponents": [
"pkg:apk/alpine/libcrypto3@3.0.8-r3?arch=x86_64&upstream=openssl&distro=alpine-3.17.3"
]
},
"found": {
"Statement": {
"vulnerability": {
"name": "CVE-2023-1255"
},
"timestamp": "2023-07-17T18:28:47.696004345-06:00",
"products": [
{
"@id": "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
"subcomponents": [
{
"@id": "pkg:apk/alpine/libssl3@3.0.8-r3"
},
{
"@id": "pkg:apk/alpine/libcrypto3@3.0.8-r3"
}
]
}
],
"status": "affected"
}
}
}
I've added an example openvex document with an Example invocation: @wagoodman @kzantow PTAL and let me know what you think. |
puerco
force-pushed
the
openvex
branch
5 times, most recently
from
1f9ece0
to
b28e484
Compare
|
@wagoodman I've wired the OpenVEX matcher to the test framework and tests for it now run in addition to the regular matchers. The new test loop can ingest any number of vex documents preparing it for other possible vex processors different from OpenVEX. 🟢 Tests are green now, please take a look when you have a chance. Once we're ready I'll drop the commit with the example files (currently at 062ff1f ) Do you want to take a look at how suppressed matches are surfaced in the UI as we discussed offline? |
This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
wagoodman
changed the title
|
Thanks very much for this contribution, @puerco! |
|
Thank you so much for all your patience and help @wagoodman @kzantow ! |
This (draft) PR adds the initial support for OpenVEX data support in Grype. It handles document handling, data evaluation, filtering of results and presentation of the results to the user.
This is the first stage in the VEX proposal in #1365.
The PR extends Grype's ignore rules system with new VEX data fields and a second stage where a VEX processor does a second evaluation of the configured ignore rules, it is a second stage because VEX not only ignores rules but may also reconsider previously ignored results (this PR does not do that yet).
This tries to explain how vex is wired into the flow of results, green is the match data, and grey is the processing flow:
flowchart TD style Z fill:#696,stroke:#333,stroke-width:2px,color:#fff style X fill:#696,stroke:#333,stroke-width:2px,color:#fff style W fill:#696,stroke:#333,stroke-width:2px,color:#fff subgraph SG1["Ignore Rules System"] B[["ignore.ApplyIgnoreRules()"]] D[[Process rule as usual]] E[Skip ignore rule] C{Rule has VEX data?} end subgraph SG2["New VEX Processor"] F[[Process remaining VEX Rules]] end Z[Matches] X[Matches + Ignore Set] W[Final Matches + Ignore Set] Z -..->SG1 SG1 -.->X X -.->SG2 SG2 -.->W A[Parse Ignore Rules] --> B B --> C{Rule has VEX data?} C ---->|no| D C -->|yes| E E ---->FSample Runs:
This run scans a known alpine image and suppresses all the vulnerabilities using this OpenVEX document:
That document suppresses one vulnerability using
not_affectedwith a status ofvulnerable_code_not_present. By applying this configuration file we can configure Grype to only suppress results marked with that status and justification:Flags
In addition to the VEX ignore rules, the CLI has two new flags that control how VEX impacts the results.
The first flag
--vexpasses to Grype the path of one or more VEX documents to be parsed and used when processing the scan results. The second one enables and disables the default VEX ignore rules which are to honor statements with a VEX status offixedornot_affected. At this time only the filter part is implemented. Recovering matches from ignore sets based onaffectedstatus is not yet implemented.The VEX processor is an interface that has two purposes: Read VEX documents and Apply the VEX data to results. It is designed to be VEX-implementation agnostic, this PR includes the OpenVEX implementation.
About the PR:
Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev