fix(mariner): use advisory_id for definition file names

[DmitriyLewen]

Description

There are times when CBL-Mariner uses multiple definitions for a single CVE.
e.g:

<definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:31880" version="1">
      <metadata>
        <title>CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28</title>
        <affected family="unix">
          <platform>CBL-Mariner</platform>
        </affected>
        <reference ref_id="CVE-2023-5678" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2023-5678" source="CVE"/>
        <patchable>true</patchable>
        <advisory_id>31880-1</advisory_id>
        <severity>Medium</severity>
        <description>CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28. A patched version of the package is available.</description>
      </metadata>
      <criteria operator="AND">
        <criterion comment="Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678" test_ref="oval:com.microsoft.cbl-mariner:tst:31880000"/>
      </criteria>
    </definition>
    <definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:31872" version="1">
      <metadata>
        <title>CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38</title>
        <affected family="unix">
          <platform>CBL-Mariner</platform>
        </affected>
        <reference ref_id="CVE-2023-5678" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2023-5678" source="CVE"/>
        <patchable>true</patchable>
        <advisory_id>31872-1</advisory_id>
        <severity>Medium</severity>
        <description>CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38. A patched version of the package is available.</description>
      </metadata>
      <criteria operator="AND">
        <criterion comment="Package edk2 is earlier than 20230301gitf80f052277c8-38, affected by CVE-2023-5678" test_ref="oval:com.microsoft.cbl-mariner:tst:31872000"/>
      </criteria>
    </definition>

To avoid overwriting - use advisory_id field for file names.
See #271 (comment)

Related Issues

• [Mariner] trivy doesn't detect CVE-2023-5678 for package earlier than where the fix has been first introduced. trivy-db#379

[knqyf263]

I'm checking with the Aqua commercial team.

[eric-desrochers]

Any ETA for this PR to be merged in Trivy ?

[eric-desrochers]

@knqyf263 any development based on your check with Aqua commercial team ?

[knqyf263]

I'll remind them

[eric-desrochers]

I'll remind them

@knqyf263 any update ? This is impacting AKS Image Cleaner in its ability to retire unsecure images for which CVE are found.

[knqyf263]

I reminded them again, but they seem to be busy. If you're in a hurry, you can update your data as described below.
aquasecurity/trivy-db#379 (comment)

[knqyf263]

@DmitriyLewen Can't we save two files named the advisory id instead of CVE-ID, like /definitions/2023/31872-1.json?

[DmitriyLewen]

hm... i didn't think about this.

I see 2 points:

• I checked oval files. Looks like all definitions contain advisory_id. Also all advisory_id are unique.

  ➜ cat cbl-mariner-2.0-oval.xml| grep advisory_id | sort | uniq -d   
  ➜ cat cbl-mariner-1.0-oval.xml| grep advisory_id | sort | uniq -d
  ➜ cat cbl-mariner-1.0-oval.xml| grep '<definition class="vulnerability"' | wc -l
      2252
  ➜ cat cbl-mariner-1.0-oval.xml| grep advisory_id | wc -l         
      2252
  ➜ cat cbl-mariner-2.0-oval.xml| grep '<definition class="vulnerability"' | wc -l
      2702
  ➜ cat cbl-mariner-2.0-oval.xml| grep advisory_id | wc -l
      2702

  But advisory_id is custom field - https://github.com/OVALProject/Language/blob/7fa7bba7b48f09decb732d00b2be032a487ff9fc/schemas/oval-definitions-schema.xsd#L242-L276. Therefore, we cannot be 100% sure about this field.
• Working with these files will be more difficult. advisory_id means nothing to user. Therefore, to find file for CVE, you need to use search. It's not a big problem, but it's still 1 extra action.

[knqyf263]

But advisory_id is custom field - https://github.com/OVALProject/Language/blob/7fa7bba7b48f09decb732d00b2be032a487ff9fc/schemas/oval-definitions-schema.xsd#L242-L276. Therefore, we cannot be 100% sure about this field.

id and version are required. I think we can construct an advisory id from them.
https://github.com/OVALProject/Language/blob/7fa7bba7b48f09decb732d00b2be032a487ff9fc/schemas/oval-definitions-schema.xsd#L237-L238

    <definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:31880" version="1">

Working with these files will be more difficult. advisory_id means nothing to user. Therefore, to find file for CVE, you need to use search. It's not a big problem, but it's still 1 extra action.

It's no big deal. We already use custom advisory IDs for others.
https://github.com/aquasecurity/vuln-list/tree/main/ghsa/go/github.com/aws/aws-sdk-go
https://github.com/aquasecurity/vuln-list/tree/main/alma/9/2024

[DmitriyLewen]

hm... looks like your are right.
IIUC in some cases mariner uses only latest from version:

    <definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:27423" version="2000000001">
...
        <advisory_id>27423-1</advisory_id>

But it doesn't have much impact.

[knqyf263]

IIUC in some cases mariner uses only latest from version:

What do you mean? 2000000001 is the latest?

[DmitriyLewen]

hm... i missed word 😞
I meant mariner uses only latest number from version
version="2000000001" -> 1
version="2000000002" -> 2
`version="2000000000" -> without version

[knqyf263]

Got it, you mean they use the last digit. Even 27423-2000000001 is not bad since we just need a unique identifier.

[DmitriyLewen]

only cbl-1.0 uses version 2000...
cbl-2.0 uses single digit as version (1,2,3, etc.).
I think we can reproduce their logic.

[knqyf263]

If we go with this approach, what changes do we need in trivy-db compared to the current PR?

[DmitriyLewen]

we will only need to update names of test files to match the names in vuln-list.

[DmitriyLewen]

I thought about using advisory_date field.
But this field does not always exist:

➜ cat cbl-mariner-1.0-oval.xml| grep ' <definition class="vulnerability"' | toilet -l
      2252
➜ cat cbl-mariner-1.0-oval.xml| grep '<advisory_date>' | toilet -l
      2070

So I'm leaving logic with year number from CVE.

[DmitriyLewen]

@knqyf263 I updated this PR. Can you take a look?

[knqyf263]

Even after we merge this PR, will trivy-db not fail?

[DmitriyLewen]

right.
I used mariner dir with new file names:

➜  make db-build
./trivy-db build --cache-dir cache --update-interval 6h
2024/05/15 15:51:45 Updating vulnerability database...
2024/05/15 15:51:45 Updating cbl-mariner data...
2024/05/15 15:51:45     Parsing cache/vuln-list/mariner/1.0
2024/05/15 15:51:45     Parsing cache/vuln-list/mariner/2.0

[knqyf263]

Thanks for confirming. I'll merge this PR, then.

[knqyf263]

I left some small comments.

[knqyf263]

AFAIK, they use hyphens.

Suggested change

	// Mariner uses `<ID>_<last_number_from_version>` format for `advisory_id`.
	// Mariner uses `<ID>-<last_number_from_version>` format for `advisory_id`.

[knqyf263]

We should start calling Azure Linux.

Suggested change

	// Mariner uses `<ID>_<last_number_from_version>` format for `advisory_id`.
	// Azure Linux uses `<ID>_<last_number_from_version>` format for `advisory_id`.

[DmitriyLewen]

fixed in 995ea97

[knqyf263]

The ID is something like oval:com.microsoft.cbl-mariner:obj:31880001. Shouldn't we extract the last digits, 31880001?

[DmitriyLewen]

Nice catch!
Changed in 995ea97
Also added tests - 7074604

[knqyf263]

Suggested change

	advisoryID = fmt.Sprintf("%s_%s", advisoryID, def.Version[len(def.Version)-1:])
	advisoryID = fmt.Sprintf("%s-%s", advisoryID, def.Version[len(def.Version)-1:])

[DmitriyLewen]

fixed in 995ea97

[knqyf263]

nit

Suggested change

	// Therefore, if `advisory_id` is not exist, we create this field independently.
	// Therefore, if `advisory_id` does not exist, we create this field independently.

[DmitriyLewen]

updated in 995ea97

[knqyf263]

Triggered the workflow
https://github.com/aquasecurity/vuln-list-update/actions/runs/9095013101