Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vex): Add support for CSAF format #5535

Merged
merged 21 commits into from
Jan 6, 2024

Conversation

juan131
Copy link
Contributor

@juan131 juan131 commented Nov 8, 2023

Description

This PR adds support for filtering out detected vulnerabilities using the existing --vex experimental flag and VEX data provided using CSAF format (currently only OpenVEX & CycloneDX are supported).

Given the following SBOM running the scanner will report the following vulnerabilities:

$ trivy sbom trivy.sbom.cdx
2023-11-08T11:26:24.445+0100	INFO	Vulnerability scanning is enabled
2023-11-08T11:26:24.448+0100	INFO	Detected SBOM format: cyclonedx-json
2023-11-08T11:26:24.455+0100	WARN	Ignore the OS package as no OS information is found.
2023-11-08T11:26:24.467+0100	INFO	Number of language-specific files: 1
2023-11-08T11:26:24.467+0100	INFO	Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌───────────────────────────────────────┬─────────────────────┬──────────┬────────┬─────────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │    Vulnerability    │ Severity │ Status │  Installed Version  │     Fixed Version      │                            Title                             │
├───────────────────────────────────────┼─────────────────────┼──────────┼────────┼─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl           │ CVE-2023-1732       │ MEDIUM   │ fixed  │ 1.1.0               │ 1.3.3                  │ Improper random reading in CIRCL                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-1732                    │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cyphar/filepath-securejoin │ GHSA-6xv5-86q9-7xr8 │          │        │ 0.2.3               │ 0.2.4                  │ SecureJoin: on windows, paths outside of the rootfs could be │
│                                       │                     │          │        │                     │                        │ inadvertently produced...                                    │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-6xv5-86q9-7xr8            │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker              │ GHSA-jq35-85cj-fj4p │          │        │ 23.0.5+incompatible │ 24.0.7                 │ /sys/devices/virtual/powercap accessible by default to       │
│                                       │                     │          │        │                     │                        │ containers                                                   │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-jq35-85cj-fj4p            │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/sigstore/rekor             │ CVE-2023-33199      │          │        │ 1.1.1               │ 1.2.0                  │ malformed proposed intoto entries can cause a panic          │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-33199                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                      │ CVE-2023-39325      │ HIGH     │        │ 0.9.0               │ 0.17.0                 │ rapid stream resets can cause excessive work                 │
│                                       │                     │          │        │                     │                        │ (CVE-2023-44487)                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                                       ├─────────────────────┼──────────┤        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-3978       │ MEDIUM   │        │                     │ 0.13.0                 │ Cross site scripting                                         │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                                       ├─────────────────────┤          │        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │          │        │                     │ 0.17.0                 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                       │                     │          │        │                     │                        │ attack (Rapid...                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                │ GHSA-m425-mq94-257g │ HIGH     │        │ 1.54.0              │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                                       ├─────────────────────┼──────────┤        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │ MEDIUM   │        │                     │ 1.58.3, 1.57.1, 1.56.3 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                       │                     │          │        │                     │                        │ attack (Rapid...                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└───────────────────────────────────────┴─────────────────────┴──────────┴────────┴─────────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

Now, if we create a CSAF VEX assessment for CVE-2023-1732 for example, and we run the command again:

$ ./trivy sbom trivy.sbom.cdx --vex trivy.vex.csaf
2023-11-08T11:27:53.281+0100	INFO	Vulnerability scanning is enabled
2023-11-08T11:27:53.283+0100	INFO	Detected SBOM format: cyclonedx-json
2023-11-08T11:27:53.289+0100	WARN	Ignore the OS package as no OS information is found.
2023-11-08T11:27:53.300+0100	INFO	Number of language-specific files: 1
2023-11-08T11:27:53.300+0100	INFO	Detecting gomod vulnerabilities...
2023-11-08T11:27:53.313+0100	INFO	Filtered out the detected vulnerability	{"VEX format": "CSAF", "vulnerability-id": "CVE-2023-1732", "status": "not_affected"}

go.mod (gomod)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

┌───────────────────────────────────────┬─────────────────────┬──────────┬────────┬─────────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │    Vulnerability    │ Severity │ Status │  Installed Version  │     Fixed Version      │                            Title                             │
├───────────────────────────────────────┼─────────────────────┼──────────┼────────┼─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cyphar/filepath-securejoin │ GHSA-6xv5-86q9-7xr8 │ MEDIUM   │ fixed  │ 0.2.3               │ 0.2.4                  │ SecureJoin: on windows, paths outside of the rootfs could be │
│                                       │                     │          │        │                     │                        │ inadvertently produced...                                    │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-6xv5-86q9-7xr8            │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker              │ GHSA-jq35-85cj-fj4p │          │        │ 23.0.5+incompatible │ 24.0.7                 │ /sys/devices/virtual/powercap accessible by default to       │
│                                       │                     │          │        │                     │                        │ containers                                                   │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-jq35-85cj-fj4p            │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/sigstore/rekor             │ CVE-2023-33199      │          │        │ 1.1.1               │ 1.2.0                  │ malformed proposed intoto entries can cause a panic          │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-33199                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                      │ CVE-2023-39325      │ HIGH     │        │ 0.9.0               │ 0.17.0                 │ rapid stream resets can cause excessive work                 │
│                                       │                     │          │        │                     │                        │ (CVE-2023-44487)                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                                       ├─────────────────────┼──────────┤        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-3978       │ MEDIUM   │        │                     │ 0.13.0                 │ Cross site scripting                                         │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                                       ├─────────────────────┤          │        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │          │        │                     │ 0.17.0                 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                       │                     │          │        │                     │                        │ attack (Rapid...                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                │ GHSA-m425-mq94-257g │ HIGH     │        │ 1.54.0              │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                                       ├─────────────────────┼──────────┤        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │ MEDIUM   │        │                     │ 1.58.3, 1.57.1, 1.56.3 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                       │                     │          │        │                     │                        │ attack (Rapid...                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└───────────────────────────────────────┴─────────────────────┴──────────┴────────┴─────────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

Signed-off-by: juan131 <jariza@vmware.com>
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

go.mod Outdated Show resolved Hide resolved
Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: juan131 <jariza@vmware.com>
…istribution library

Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: juan131 <jariza@vmware.com>
@knqyf263
Copy link
Collaborator

knqyf263 commented Dec 6, 2023

I have been on paid leave irregularly for various reasons most recently, but would like to review it this week. Thanks!

@juan131
Copy link
Contributor Author

juan131 commented Dec 12, 2023

Friendly reminder @knqyf263

@juan131
Copy link
Contributor Author

juan131 commented Dec 19, 2023

@DmitriyLewen @knqyf263 I'd appreciate your review

Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @juan131
Thank you for your work and sorry for the wait.
LGTM.
Left 1 comment.

Can you also add information about CSAF in docs?
Pay attention to 1 point:
For default scanning (I mean non-sbom mode), vuln.PkgRef is usually empty.
We need to write that CSAF only works for sbom mode.
After merge #5439 we will update docs.

package vex

import (
csaf "github.com/csaf-poc/csaf_distribution/v3/csaf"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if use https://github.com/openvex/go-vex/blob/main/pkg/csaf/csaf.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather use the one maintained by OASIS CSAF TC, see https://oasis-open.github.io/csaf-documentation/tools.html

@juan131
Copy link
Contributor Author

juan131 commented Jan 2, 2024

Can you also add information about CSAF in docs?

Done at b7f1e77

juan131 and others added 3 commits January 3, 2024 08:36
Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your patience! LGTM!

@knqyf263 knqyf263 added this pull request to the merge queue Jan 6, 2024
Merged via the queue into aquasecurity:main with commit c47ed0d Jan 6, 2024
17 checks passed
@juan131 juan131 deleted the feat/csaf-vex branch January 8, 2024 07:26
@juan131
Copy link
Contributor Author

juan131 commented Jan 8, 2024

Awesome, thanks @knqyf263 !! Do you plan to include this enhancement in the next minor version 0.49.0?

@knqyf263
Copy link
Collaborator

knqyf263 commented Jan 8, 2024

Yes. Also, I started implementing PURL matching to improve CSAF support.

@mpermar
Copy link

mpermar commented Jan 8, 2024

This is awesome!! 🎉🚀 @tschmidtb51 FYI!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enhancement request to support the Common Security Advisory Framework (CSAF) format.
5 participants