feat(report): update gitlab template to populate operating_system value#7735
Conversation
|
|
|
The existing test was updated to reflect the I did manually test against {
...
"vulnerabilities": [
{
"id": "CVE-2024-24579",
"name": "stereoscope vulnerable to tar path traversal when processing OCI tar archives",
"description": "stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.",
"severity": "Medium",
"solution": "Upgrade github.com/anchore/stereoscope to 0.0.1",
"location": {
"dependency": {
"package": {
"name": "github.com/anchore/stereoscope"
},
"version": "v0.0.0-20210817160504-0f4abc2a5a5a"
},
"operating_system": "Unknown",
"image": "syft"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2024-24579",
"value": "CVE-2024-24579",
"url": "https://avd.aquasec.com/nvd/cve-2024-24579"
}
],
"links": [{
"url": "https://github.com/anchore/stereoscope"
},{
"url": "https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204"
},{
"url": "https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv"
},{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24579"
}
]
},
...
],
...
} |
| {{- $target := .Target }} | ||
| {{- $image := $target | regexFind "[^\\s]+" }} | ||
| {{- $os := "Unknown" }} | ||
| {{- if contains "(" $target -}} |
There was a problem hiding this comment.
I am worried that filepath might contain (:
trivy/pkg/scanner/langpkg/scan.go
Line 52 in 56dbe1f
Can Class field be used to detect OS package vulnerabilities?
trivy/pkg/scanner/ospkg/scan.go
Lines 40 to 41 in 56dbe1f
There was a problem hiding this comment.
My goal here was to replicate the data from GitLab's container scanning tool using Trivy directly. Within GitLab, the format is unique to container scanning (i.e. container images in a registry). In that use case, there's shouldn't be parentheses in the .Target value as they're invalid. If it's being used in other cases with file paths then parentheses could be an issue, but then spaces could also be an issue with line 31
{{- $image := $target | regexFind "[^\\s]+" }}`There was a problem hiding this comment.
On the Class question, GitLab actually displays the results, not just looking to identify OS packages, for example:
There was a problem hiding this comment.
If it's being used in other cases with file paths then parentheses could be an issue, but then spaces could also be an issue with line 31
Hm.. you are right.
We need to think about language-specific files from container.
I think we can check all targets to find os and image and use them for all targets.
Something like this:
{{- $image := "Unknown" -}}
{{- $os := "Unknown" -}}
{{- range . }}
{{- if eq .Class "os-pkgs" -}}
{{- $target := .Target }}
{{- $image = $target | regexFind "[^\\s]+" }}
{{- $os = $target | splitList "(" | last | trimSuffix ")" }}
{{- end }}
{{- end }}
"vulnerabilities": [
{{- $t_first := true }}
{{- range . }}
{{- $target := .Target }}
{{- range .Vulnerabilities -}}
wdyt?
test:
FROM alpine
COPY log4j-core-2.17.0.jar /te(st)/log4j-core-2.17.0.jarBefore:
➜ trivy -q image test:7735 -f template -t @./contrib/gitlab.tpl | grep "operating_system" -A 1
"operating_system": "alpine 3.20.3",
"image": "test:7735"
--
"operating_system": "alpine 3.20.3",
"image": "test:7735"
--
"operating_system": "Unknown",
"image": "Java"
After:
➜ trivy -q image test:7735 -f template -t @./contrib/gitlab.tpl | grep "operating_system" -A 1
"operating_system": "alpine 3.20.3",
"image": "test:7735"
--
"operating_system": "alpine 3.20.3",
"image": "test:7735"
--
"operating_system": "alpine 3.20.3",
"image": "test:7735"
There was a problem hiding this comment.
@DmitriyLewen I like it. I did a quick test and it is slightly different than what GitLab output, but I think it's more logical. By default they run with --vuln-type os, which I had forgotten, but after overriding they output "operating_system": "Unknown" for non-OS packages. There are some cases, for example I can think of some npm package examples, that have language-specific installations (installing binaries), so I think the OS is useful data.
At the moment there's one test for this template, which I had updated, but what are your thoughts on tests for the "Unknown" cases?
There was a problem hiding this comment.
At the moment there's one test for this template, which I had updated, but what are your thoughts on tests for the "Unknown" cases?
Hm... You can add test for testdata/fixtures/images/vulnimage.tar.gz (use low severity to skip a few vulns).
➜ trivy -q image -f template -t @./contrib/gitlab.tpl --input ./integration/testdata/fixtures/images/vulnimage.tar.gz --severity LOW | grep "operating_system" -A 1
"operating_system": "alpine 3.7.1",
"image": "./integration/testdata/fixtures/images/vulnimage.tar.gz"
--
"operating_system": "alpine 3.7.1",
"image": "./integration/testdata/fixtures/images/vulnimage.tar.gz"
There was a problem hiding this comment.
I was actually thinking the other direction - an image, maybe something FROM scratch, that would report "operating_system": "Unknown", just to test the defaults. I'm not sure it's critical, but didn't see an image in the existing testcases that looked like it would work. I think the image/os values are already covered in the test for integration/testdata/alpine-310.gitlab.golden.
There was a problem hiding this comment.
I have provided vulnimage.tar.gz to show that vulnerabilities for language packages now contain the correct operating_system and image values.
Actual behavior:
➜ trivy -q image -f template -t @./contrib/gitlab.tpl --input ./integration/testdata/fixtures/images/vulnimage.tar.gz --severity LOW | grep "operating_system" -A 1
"operating_system": "Unknown",
"image": "./integration/testdata/fixtures/images/vulnimage.tar.gz"
--
"operating_system": "Unknown",
"image": "rust-app/Cargo.lock"
that would report "operating_system": "Unknown", just to test the defaults
We can use fs mode (use one dir from repo to check this. In this case OS is not detected.
There was a problem hiding this comment.
I added a test and the actions are all passing in my fork, so from my perspective I think this is ready.
aarongoldenthal
force-pushed
the
gitlab-template-os
branch
from
94395bd to
9954714
Compare
aarongoldenthal
force-pushed
the
gitlab-template-os
branch
from
9954714 to
7c7c62a
Compare
4 participants
Description
Update the
gitlab.tplcontainer scanning template to populate thevulnerabilities[].location.operating_systemvalue from theTarget. The current template extracts theimagefromTarget, but the OS is not used and has the value hardcoded as"operating_system": "Unknown". This update extracts the OS fromTarget, if specified (simply checking for(in theTarget), to populate theoperating_systemvalue (for example"operating_system": "alpine 3.10.2"). If not specified, the default ofUnknownis used.Related issues
Checklist