Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FIX] implement fixes based on parsing and querying errors for CDX #1855

Merged
merged 2 commits into from
Apr 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 12 additions & 28 deletions cmd/guacone/cmd/vulnerability.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import (
"net/http"
"os"
"strings"
"sync"

"github.com/Khan/genqlient/graphql"
model "github.com/guacsec/guac/pkg/assembler/clients/generated"
Expand Down Expand Up @@ -433,24 +432,17 @@ func searchDependencyPackagesReverse(ctx context.Context, gqlclient graphql.Clie
}
}

func concurrentVulnAndVexNeighbors(ctx context.Context, gqlclient graphql.Client, pkgID string, isDep model.AllHasSBOMTreeIncludedDependenciesIsDependency, resultChan chan<- struct {
type pkgVersionNeighborQueryResults struct {
pkgVersionNeighborResponse *model.NeighborsResponse
isDep model.AllHasSBOMTreeIncludedDependenciesIsDependency
}, wg *sync.WaitGroup) {
defer wg.Done()
}

logger := logging.FromContext(ctx)
func getVulnAndVexNeighbors(ctx context.Context, gqlclient graphql.Client, pkgID string, isDep model.AllHasSBOMTreeIncludedDependenciesIsDependency) (*pkgVersionNeighborQueryResults, error) {
pkgVersionNeighborResponse, err := model.Neighbors(ctx, gqlclient, pkgID, []model.Edge{model.EdgePackageCertifyVuln, model.EdgePackageCertifyVexStatement})
if err != nil {
logger.Errorf("error querying neighbor for vulnerability: %w", err)
return
return nil, fmt.Errorf("failed to get neighbors for pkgID: %s with error %w", pkgID, err)
}

// Send the results to the resultChan
resultChan <- struct {
pkgVersionNeighborResponse *model.NeighborsResponse
isDep model.AllHasSBOMTreeIncludedDependenciesIsDependency
}{pkgVersionNeighborResponse, isDep}
return &pkgVersionNeighborQueryResults{pkgVersionNeighborResponse: pkgVersionNeighborResponse, isDep: isDep}, nil
}

// searchPkgViaHasSBOM takes in either a purl or URI for the initial value to find the hasSBOM node.
Expand All @@ -460,7 +452,7 @@ func searchPkgViaHasSBOM(ctx context.Context, gqlclient graphql.Client, searchSt
var path []string
var tableRows []table.Row
checkedPkgIDs := make(map[string]bool)
var wg sync.WaitGroup
var collectedPkgVersionResults []*pkgVersionNeighborQueryResults

queue := make([]string, 0) // the queue of nodes in bfs
type dfsNode struct {
Expand All @@ -474,11 +466,6 @@ func searchPkgViaHasSBOM(ctx context.Context, gqlclient graphql.Client, searchSt
nodeMap[searchString] = dfsNode{}
queue = append(queue, searchString)

resultChan := make(chan struct {
pkgVersionNeighborResponse *model.NeighborsResponse
isDep model.AllHasSBOMTreeIncludedDependenciesIsDependency
})

for len(queue) > 0 {
now := queue[0]
queue = queue[1:]
Expand Down Expand Up @@ -560,8 +547,11 @@ func searchPkgViaHasSBOM(ctx context.Context, gqlclient graphql.Client, searchSt
if !dfsN.expanded {
queue = append(queue, pkgID)
}
wg.Add(1)
go concurrentVulnAndVexNeighbors(ctx, gqlclient, pkgID, isDep, resultChan, &wg)
pkgVersionNeighbors, err := getVulnAndVexNeighbors(ctx, gqlclient, pkgID, isDep)
if err != nil {
return nil, nil, fmt.Errorf("getVulnAndVexNeighbors failed with error: %w", err)
}
collectedPkgVersionResults = append(collectedPkgVersionResults, pkgVersionNeighbors)
checkedPkgIDs[pkgID] = true
}
}
Expand All @@ -570,16 +560,10 @@ func searchPkgViaHasSBOM(ctx context.Context, gqlclient graphql.Client, searchSt
nodeMap[now] = nowNode
}

// Close the result channel once all goroutines are done
go func() {
wg.Wait()
close(resultChan)
}()

checkedCertifyVulnIDs := make(map[string]bool)

// Collect results from the channel
for result := range resultChan {
for _, result := range collectedPkgVersionResults {
for _, neighbor := range result.pkgVersionNeighborResponse.Neighbors {
if certifyVuln, ok := neighbor.(*model.NeighborsNeighborsCertifyVuln); ok {
if !checkedCertifyVulnIDs[certifyVuln.Id] {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"metadata" : {
"timestamp" : "2022-03-03T00:00:00Z",
"component" : {
"name" : "ABC",
"type" : "application",
"bom-ref" : "product-ABC"
}
},
"vulnerabilities": [
{
"id": "CVE-2021-44228",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"description": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.",
"affects": [
{
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#product-ABC",
"versions": [
{
"version": "2.4",
"status": "affected"
},
{
"version": "2.6",
"status": "affected"
}
]
}
]
}
]
}
39 changes: 34 additions & 5 deletions internal/testing/testdata/testdata.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ package testdata
import (
_ "embed"
"encoding/base64"
"fmt"
"time"

"github.com/google/go-cmp/cmp"
Expand Down Expand Up @@ -111,6 +110,9 @@ var (
//go:embed exampledata/cyclonedx-vex-affected.json
CycloneDXVEXAffected []byte

//go:embed exampledata/cyclonedx-vex-no-analysis.json
CycloneDXVEXWithoutAnalysis []byte

//go:embed exampledata/cyclonedx-vex.xml
CyloneDXVEXExampleXML []byte

Expand Down Expand Up @@ -186,8 +188,8 @@ var (
VexData: &generated.VexStatementInputSpec{
Status: generated.VexStatusNotAffected,
VexJustification: generated.VexJustificationVulnerableCodeNotInExecutePath,
Statement: "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly.",
StatusNotes: fmt.Sprintf("%s:%s", generated.VexStatusNotAffected, generated.VexJustificationVulnerableCodeNotInExecutePath),
Statement: "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.",
StatusNotes: "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly.",
KnownSince: parseUTCTime("2020-12-03T00:00:00.000Z"),
},
},
Expand Down Expand Up @@ -231,8 +233,15 @@ var (
VexDataAffected = &generated.VexStatementInputSpec{
Status: generated.VexStatusAffected,
VexJustification: generated.VexJustificationNotProvided,
Statement: "Versions of Product ABC are affected by the vulnerability. Customers are advised to upgrade to the latest release.",
StatusNotes: fmt.Sprintf("%s:%s", generated.VexStatusAffected, generated.VexJustificationNotProvided),
Statement: "",
StatusNotes: "Versions of Product ABC are affected by the vulnerability. Customers are advised to upgrade to the latest release.",
KnownSince: time.Unix(0, 0),
}
VexDataNoAnalysis = &generated.VexStatementInputSpec{
Status: generated.VexStatusAffected,
VexJustification: generated.VexJustificationNotProvided,
Statement: "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.",
StatusNotes: "",
KnownSince: time.Unix(0, 0),
}
CycloneDXAffectedVulnMetadata = []assembler.VulnMetadataIngest{
Expand All @@ -245,6 +254,16 @@ var (
},
},
}
CycloneDXNoAnalysisVulnMetadata = []assembler.VulnMetadataIngest{
{
Vulnerability: VulnSpecAffected,
VulnMetadata: &generated.VulnerabilityMetadataInputSpec{
ScoreType: generated.VulnerabilityScoreTypeCvssv31,
ScoreValue: 10,
Timestamp: time.Unix(0, 0),
},
},
}

topLevelPkg, _ = asmhelpers.PurlToPkg("pkg:guac/cdx/ABC")
HasSBOMVexAffected = []assembler.HasSBOMIngest{
Expand All @@ -257,6 +276,16 @@ var (
},
},
}
HasSBOMVexNoAnalysis = []assembler.HasSBOMIngest{
{
Pkg: topLevelPkg,
HasSBOM: &model.HasSBOMInputSpec{
Algorithm: "sha256",
Digest: "265c99f1f9a09b7fc10c14c97ca1a07fc52ae470f5cbcddd9baf5585fb28221c",
KnownSince: parseRfc3339("2022-03-03T00:00:00Z"),
},
},
}

// DSSE/SLSA Testdata

Expand Down
2 changes: 1 addition & 1 deletion pkg/assembler/helpers/purl.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ func purlConvert(p purl.PackageURL) (*model.PkgInputSpec, error) {
purl.TypeDebian, purl.TypeGem, purl.TypeGithub,
purl.TypeGolang, purl.TypeHackage, purl.TypeHex, purl.TypeMaven,
purl.TypeNPM, purl.TypeNuget, purl.TypePyPi, purl.TypeRPM, purl.TypeSwift,
purl.TypeGeneric:
purl.TypeGeneric, purl.TypeYocto, purl.TypeCpan:
pxp928 marked this conversation as resolved.
Show resolved Hide resolved
// some code
r := pkg(p.Type, p.Namespace, p.Name, p.Version, p.Subpath, p.Qualifiers.Map())
return r, nil
Expand Down
8 changes: 8 additions & 0 deletions pkg/assembler/helpers/purl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,14 @@ func TestPurlConvert(t *testing.T) {
expected: pkg("oci", "registry.redhat.io/ubi9", "ubi9-container", "sha256:8614ce95268b970880a1eca97dddfce5154fab35418d839c5f75012cccaca0d9", "", map[string]string{
"tag": "9.2-489",
}),
}, {
purlUri: "pkg:yocto/dmidecode@2.12-r0?arch=core2-32",
expected: pkg("yocto", "", "dmidecode", "2.12-r0", "", map[string]string{
"arch": "core2-32",
}),
}, {
purlUri: "pkg:cpan/Pod-Perldoc@3.20",
expected: pkg("cpan", "", "Pod-Perldoc", "3.20", "", map[string]string{}),
},
}

Expand Down
Loading
Loading