Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(sbom): add VEX support #4053

Merged
merged 18 commits into from
Apr 27, 2023
Merged

feat(sbom): add VEX support #4053

merged 18 commits into from
Apr 27, 2023

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Apr 13, 2023
edited
Loading

Description

Add --vex to filter out vulnerabilities

Note that this is in the experimental stage and does not yet support many specifications.

Formats

Usage

$ trivy fs --format cyclonedx --output trivy.sbom.cdx ./go.mod
$ trivy sbom trivy.sbom.cdx

go.mod (gomod)
==============
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ 1.44.234          │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

$ cat trivy.vex.cdx
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "vulnerabilities": [
    {
      "id": "CVE-2020-8911",
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": ["will_not_fix", "update"],
        "detail": "The vulnerable function is not called"
      },
      "affects": [
        {
          "ref": "urn:cdx:5e745bd2-0754-4d34-8f22-8940492b63fd/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.234"
        }
      ]
    }
  ]
}

$ trivy sbom trivy.sbom.cdx --vex trivy.vex.cdx
...
2023-04-13T12:55:44.838+0300    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2020-8911", "status": "not_affected", "justification": "code_not_reachable"}

go.mod (gomod)
==============
Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW      │ 1.44.234          │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

$ cat trivy.openvex
{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f",
  "author": "Aqua Security",
  "timestamp": "2023-01-16T19:07:16.853479631-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2020-8911",
      "products": [
        "urn:cdx:5e745bd2-0754-4d34-8f22-8940492b63fd/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.234"
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    }
  ]
}

$ trivy sbom trivy.sbom.cdx --vex trivy.openvex
...
2023-04-13T12:56:42.954+0300    INFO    Filtered out the detected vulnerability {"VEX format": "OpenVEX", "vulnerability-id": "CVE-2020-8911", "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path"}

go.mod (gomod)
==============
Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW      │ 1.44.234          │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Apr 13, 2023
@knqyf263 knqyf263 requested a review from otms61 April 13, 2023 09:57
otms61
otms61 reviewed Apr 15, 2023
View reviewed changes
pkg/vex/vex.go Outdated Show resolved Hide resolved
@knqyf263 knqyf263 marked this pull request as ready for review April 23, 2023 14:08
otms61
otms61 reviewed Apr 25, 2023
View reviewed changes
pkg/vex/vex.go
zap.Int("version", link.Version()))
continue
}
if vuln.PkgRef == link.Reference() &&
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I generated cdx sbom of trivy image alpine:3.16.4. This sbom has the serial number(urn:uuid:d313306a-6869-45b2-a5eb-aa8b048e4d48).
And scan sbom with the following OpenVEX.

{
  "@context": "https://openvex.dev/ns",
  "author": "Aqua Security",
  "role": "Project Release Bot",
  "timestamp": "2023-01-16T19:07:16.853479631-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2023-0465",
      "products": [
        "urn:cdx:d313306a-6869-45b2-a5eb-aa8b048e4d48/1#libcrypto1.1@1.1.1t-r0"
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    }
  ]
}

This OpenVEX doesn't work well because link.Reference() returns libcrypto1.1@1.1.1t-r0, which is part of the urn after the #, and vuln.PkgRef is pkg:apk/alpine/libcrypto1.1@1.1.1t-r0?distro=3.16.4, which is the purl of the component.
It seems that vuln.PkgID is suitable here.

image

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BOM-Link consists of

  • serialNumber
  • version
  • bom-ref

You passed "urn:cdx:d313306a-6869-45b2-a5eb-aa8b048e4d48/1#libcrypto1.1@1.1.1t-r0", and libcrypto1.1@1.1.1t-r0 is not BOM-Ref. pkg:apk/alpine/libcrypto1.1@1.1.1t-r0?distro=3.16.4 is correct.

    {
      "bom-ref": "pkg:apk/alpine/libcrypto1.1@1.1.1t-r0?distro=3.16.4",
      "type": "library",
      "name": "libcrypto1.1",
      "version": "1.1.1t-r0",

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, sorry, I had a misunderstanding about the bom-ref and bom-link. I needed to create the OpenVEX using the target SBOM's bom-ref.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, if I understand correctly.

AnaisUrlichs
AnaisUrlichs reviewed Apr 25, 2023
View reviewed changes
docs/docs/supply-chain/vex.md
@@ -0,0 +1,161 @@
# Vulnerability Exploitability Exchange (VEX)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@knqyf263 did you restructure the docs so SBOMs and related are under "suppy-chain?"

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I did in #3977. You can see how it looks now below.
https://aquasecurity.github.io/trivy/dev/docs/

AnaisUrlichs
AnaisUrlichs approved these changes Apr 25, 2023
View reviewed changes
Copy link
Member

@AnaisUrlichs AnaisUrlichs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs looks good to me

@knqyf263 knqyf263 merged commit 11a5b91 into aquasecurity:main Apr 27, 2023
8 checks passed
@knqyf263 knqyf263 deleted the vex branch April 27, 2023 07:21
@knqyf263 knqyf263 mentioned this pull request May 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@otms61 otms61 otms61 approved these changes

@AnaisUrlichs AnaisUrlichs AnaisUrlichs approved these changes

@itaysk itaysk Awaiting requested review from itaysk

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CycloneDX VEX support
3 participants
@knqyf263 @otms61 @AnaisUrlichs