Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve image introspection to let tools report CVEs & SBOM #70

Closed
AmitKumarDas opened this issue Mar 30, 2023 · 7 comments
Closed

Improve image introspection to let tools report CVEs & SBOM #70

AmitKumarDas opened this issue Mar 30, 2023 · 7 comments

Comments

@AmitKumarDas
Copy link

Hi Team,
Is there anything that can be done to introspect the built images. I was interested to check if existing SBOM tools & CVE scanners can derive some insights from the images generated via nix2container.

In addition, I wanted to understand the reason for the current size of the images. I believe they are not minimal & perhaps can be customised further s.t. the final image has less size.

E.g. I was doing a comparative study between the nginx image from chainguard

Note: nginx:x7fh59yyzwlrfsc98rw4bpkm4hcmg4dz was generated using nix2container

docker images
REPOSITORY                 TAG                                IMAGE ID       CREATED        SIZE
cgr.dev/chainguard/nginx   latest                             8506f9922bea   13 hours ago   21.3MB
nginx                      x7fh59yyzwlrfsc98rw4bpkm4hcmg4dz   5d209e8e196b   N/A            122MB
grype cgr.dev/chainguard/nginx:latest
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [30 packages]
 ✔ Scanning image...       [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found
syft cgr.dev/chainguard/nginx:latest
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [30 packages]
NAME                    VERSION      TYPE 
ca-certificates-bundle  20230106-r0  apk   
execline                2.9.2.1-r1   apk   
glibc                   2.37-r6      apk   
glibc-locale-posix      2.37-r6      apk   
ld-linux                2.37-r6      apk   
libcrypto3              3.1.0-r2     apk   
libgcc                  12.2.0-r9    apk   
libssl3                 3.1.0-r2     apk   
libstdc++               12.2.0-r9    apk   
nginx                   1.23.3-r1    apk   
pcre                    8.45-r0      apk   
s6                      2.11.3.0-r0  apk   
skalibs                 2.13.1.0-r1  apk   
wolfi-baselayout        20230201-r0  apk   
zlib                    1.2.13-r3    apk

versus.

grype nginx:x7fh59yyzwlrfsc98rw4bpkm4hcmg4dz
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [0 packages]
 ✔ Scanning image...       [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed
syft nginx:x7fh59yyzwlrfsc98rw4bpkm4hcmg4dz
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [0 packages]
No packages discovered
@AmitKumarDas AmitKumarDas changed the title Improve image introspection for tools like grype, syft to report CVEs & SBOM Improve image introspection to let tools report CVEs & SBOM Mar 30, 2023
@nlewo
Copy link
Owner

nlewo commented Mar 30, 2023

Hello,

I was interested to check if existing SBOM tools & CVE scanners can derive some insights from the images generated via nix2container.

I never used this kind of tools but they doesn't seem to be supporting Nix (or nixpkgs).
However, it could be pretty trivial to generate a document containing the list of software with their versions. Actually, the nix2container image specification (nix build github:nlewo/nix2container#examples.nginx --print-out-paths | xargs cat) seems to contain the relevant information (there would be better ways to generate the list of runtime dependencies).

In addition, I wanted to understand the reason for the current size of the images. I believe they are not minimal & perhaps can be customised further s.t. the final image has less size.

Sorry, my answer is not really helpful, but this is related to the nginx closure (which comes from nixpkgs):

nix path-info n#nginx -Sh
/nix/store/qyrrkm33b9887jpql3dvgrifk244n3kh-nginx-1.22.1	 112.0M

And I don't know why the cgr.dev/chainguard/nginx:latest image size is so much better!

FYI, here is the list of nginx image store paths, sorted by size:

nix path-info github:nlewo/nix2container#examples.nginx -rs | sort -rnk2
/nix/store/76l4v99sk83ylfwkz8wmwrm4s8h73rhd-glibc-2.35-224           	   30269992
/nix/store/c6bakr5dqws3k1qdk0qxzlysbg9gka1p-libjxl-0.7.0             	   22346864
/nix/store/4qf8shwiq3nhrsdsfs5763q14w40k0dy-libaom-3.5.0             	    9014048
/nix/store/2w4k8nvdyiggz717ygbbxchpnxrqc6y9-gcc-12.2.0-lib           	    8164464
/nix/store/5438qhyypn1kbdnm4312v8db4mkapwhl-openssl-3.0.8            	    6464448
/nix/store/i57gy46jk8fklzzg8h9ywsx4rgd5k8i6-gperftools-2.10          	    5962024
/nix/store/h6smkld8irnav6yha088dn9h4cihzqz5-openexr-2.5.8            	    4793944
/nix/store/w5dllf9qma5566c6dn0553s253ywsyxl-libyuv-1787              	    3678440
/nix/store/y0ym7qckhfldadc4wbwv0hs7765v10rd-libX11-1.8.4             	    2707960
/nix/store/b0y3xp325wddrr9a471yh7nk3zjldkb9-dav1d-1.0.0              	    2448584
/nix/store/2jq0rdhc7wb8fj0q82whsj9p50sdmvcv-freetype-2.12.1          	    2073968
/nix/store/a7pjd17zkpc5b7wjxpmr5zn2121c8wb1-nginx-1.22.1             	    1836808
/nix/store/qmnr18aqd08zdkhka695ici96k6nzirv-libunistring-1.0         	    1804200
/nix/store/6ahs2w409ysgvz4r0k1g0kypf6k3iwps-brotli-1.0.9-lib         	    1778856
/nix/store/d6k56h2hf6p62qvagr4zgb58i03sr380-fontconfig-2.14.0        	    1685328
/nix/store/5ynbf6wszmggr0abwifdagrixgnya5vy-bash-5.2-p15             	    1678048
/nix/store/rvv0110i3pg28vrhadhi1qfmhpgj1azy-libjpeg-turbo-2.1.4      	    1653472
/nix/store/hmh8yakhrp3r95b7r085m4xnzp8crz3b-libxml2-2.10.3           	    1594376
/nix/store/cnkr9byk03mz454yzx48jkyy0c2rlfjz-libxcb-1.14              	    1383136
/nix/store/yqj5x0wrfvinf67yi3vgk92k02369p9b-libvmaf-2.3.1            	    1277072
/nix/store/ckvyb7jxzmnvp1pjhm7y871zxwv4m9xq-libwebp-1.3.0            	    1257992
/nix/store/9jm97na5s5z0xpw7iz58vkz8h6rxjp0r-ilmbase-2.5.8            	    1164440
/nix/store/wfz3rd51ka009f3l4g6gh7innyf0gq2f-xz-5.4.1                 	     799808
/nix/store/rmw6cl0f9x9g6s9w9jlid069dbzfkfvw-dejavu-fonts-minimal-2.37	     760472
/nix/store/90n3cy31f8qlrzs4hmhdwnxawddpb1a9-libtiff-4.5.0            	     611888
/nix/store/x6nnam5hk44mljbk782rcbd92jlnz8r6-pcre-8.45                	     526776
/nix/store/k6vlq06f9ad07z368mjd7dwd9llxx20c-gd-2.3.3                 	     456288
/nix/store/4wz3rc4hi1jf1gbxlnh17v0cwwb63hv1-giflib-5.2.1             	     410208
/nix/store/al2c9nyjfmkk1hx8606j56vh2i1m1anc-libdeflate-1.17          	     401360
/nix/store/wj70ar7dgf4ynywqmhxqys5p2rvbhabd-libavif-0.11.1           	     389552
/nix/store/8ilmxyjyn4fn3ll7s19shppp7izswp2c-libxslt-1.1.37           	     385664
/nix/store/mv56qyvfin02c96mxrdh60p3c0j05dvn-fontconfig-2.14.0-lib    	     369432
/nix/store/rsawyp9vkxxc328jvl57zbf9i2jfk5g0-geoip-1.6.12             	     322144
/nix/store/vv6rlzln7vhxk519rdsrzmhhlpyb5q2m-libidn2-2.3.2            	     260216
/nix/store/inrxvaqv2zkdhg2v5vhqc0257p92wl2q-expat-2.5.0              	     259312
/nix/store/idx4lcdd1p91dpib06d5mwyhszs6w8xw-libpng-apng-1.6.39       	     255312
/nix/store/c06np1spdb2bbsfp5x3716d529mrxw7b-libxcrypt-4.4.33         	     236048
/nix/store/7qi20jm778jyq6rzvaxswkkcwr646s5c-libunwind-1.6.2          	     228216
/nix/store/jmx6hd6qykl0a8vxrf6pv6m8q2c0kpxn-gzip-1.12                	     156792
/nix/store/yvmxjw247mqy3w2fhb995rsvw2d6b60j-zlib-ng-2.0.6            	     133816
/nix/store/mg9l7phyhvi16p9g8g3g8fbyj4mr79gq-zlib-1.2.13              	     128656
/nix/store/9yaazwk25yjbs6as9phv93hf4b74rlzk-libXpm-3.5.15            	      86616
/nix/store/k0yrr5yq9yghbvvfv0qkblyia576kg4f-bzip2-1.0.8              	      81360
/nix/store/i5a67w3smvl9bnxmdffv8nzp4rmwk20a-ncompress-5.0            	      75960
/nix/store/3bhillndvhi9pvdkr4bb145170s7h7lz-libXdmcp-1.1.3           	      32384
/nix/store/qnwa2z8b9y76almh1mpp1iwnwdvrzxbj-libXau-1.0.9             	      23992
/nix/store/x7fh59yyzwlrfsc98rw4bpkm4hcmg4dz-image-nginx.json         	       5512
/nix/store/f3lfxd1ayr2pk7x394iafvwmhwbpfkq9-fake-nss                 	       1368
/nix/store/jhf1mz8wlysck2n5n16jyglz7fcxfh8j-nginx-var                	        936
/nix/store/zim1s6hmlxfn7dw2a14l78ynvrpmp9yv-passwd                   	        536
/nix/store/yw58xfpm5mxyb7rcqd7cw6njmgn2g7zs-group                    	        480
/nix/store/jp2xhfkfzdxr0rlxqydd2d3d3firphkd-nsswitch.conf            	        480
/nix/store/0xgvk5vmi5y65y0rkd7vf0s7nbbbk5pd-nginx.conf               	        376
/nix/store/65nnlyf4bhk1k9ds6qpqnaf1cd1flb2j-index.html               	        344

@AmitKumarDas
Copy link
Author

AmitKumarDas commented Mar 31, 2023
edited

Thanks @nlewo for your quick response.

I never used this kind of tools but they doesn't seem to be supporting Nix (or nixpkgs).

I forgot to mention the source of these tools. These are standard tools used by cloud native enterprises. Following are their github repo locations:

Query: Is there any specific tool that Nixpkgs recommend to scan these images or perhaps the store path? In fact none of the scanners that I know understand Nix store path. So the only way to integrate with existing scanners is to generate standard SBOM out of a nix realisation & let the scanners do the rest of the job.

And I don't know why the cgr.dev/chainguard/nginx:latest image size is so much better!

AFAIK chainguard folks have been persistent in implementing various distroless images. You may be already aware that "distroless" is the name given to a container image that contains the application binary & its runtime dependencies & nothing else. For example, a distroless image will not have any build dependencies, package managers (s.a apt, apk, etc.), and utilities such as bash, etc.

I will try to explain specifically about cgr.dev/chainguard/nginx:latest image and hopefully it helps all (Note that I am no expert here as well). The source of the image can be tracked back to latest.apko.yaml. This file is understood by apko which is used to build OCI images out of apk files (Alpine Package Kit). The README page of apko project provides a great explanation on the motivation of the project.

In order to build from source & produce the result as an apk file, they use melange. We can take a look at this melange file to understand how the GNU hello program is built from source & packaged into an apk file.

If one has read the provided references they would have come across WOLFI which is the equivalent of nixpkgs. This is the melange yaml for nginx package found in WOLFI. The nginx package built (via melange file) here is referred to in apko file to produce the final OCI image(s). The list of other ready to consume OCI images can be found here.

It will also help folks to read this blog to dive deep into WOLFI mechanics.

Again my intention is not to advertise one over other. I am currently searching for an ideal package manager & better dev tools to generate OCI images that are minimal in size (preferably with 0 CVEs) & comply with SLSA guidelines.

@nlewo
Copy link
Owner

nlewo commented Apr 2, 2023

Looks like it will soon become possible to generate a SBOM from a Nix expression:

@solene got a grant from NLNet NGI0-entrust to build a CycloneDX SBOM generator from Nix packages, including a public website that will contain pre-generated SBOM for every package in nixpkgs, with a human friendly viewer.

Sources:

@AmitKumarDas
Copy link
Author

@nlewo Is there a way to get the CVE report using following tool:

nix run github:tiiuae/sbomnix#vulnxscan -- ./result

Can we build this nginx example as a regular nix build output? It will help us to feed the output to above tool which will generate SBOM on fly & further run against multiple scanners.

@nlewo nlewo mentioned this issue Apr 22, 2023
Closed
@nlewo
Copy link
Owner

nlewo commented Apr 22, 2023

@AmitKumarDas it is because vulnxscan fails if the Nix output path is a JSON file. I opened this vulnxscan issue.

BTW, you could still get a result by using the image.json derivation:

nix run github:tiiuae/sbomnix#vulnxscan -- $(nix show-derivation github:nlewo/nix2container#examples.bash | jq '. | keys[0]' -r)
INFO     Generating SBOM for target '/nix/store/5njqck1cw6587a6hakpby3la9zxsywp8-image-bash.json.drv'
INFO     Loading runtime dependencies referenced by '/nix/store/5njqck1cw6587a6hakpby3la9zxsywp8-image-bash.json.drv'
INFO     Using SBOM '/tmp/vulnxscan_3u6hkvpq.json'
INFO     Running vulnix scan
INFO     Running grype scan
INFO     Running OSV scan
INFO     Querying vulnerabilities
INFO     Console report

Potential vulnerabilities impacting '/nix/store/5njqck1cw6587a6hakpby3la9zxsywp8-image-bash.json.drv' or some of its runtime dependencies:

| vuln_id       | url                                            | package   |  version  |  grype  |  osv  |  vulnix  |  sum  |
|---------------+------------------------------------------------+-----------+-----------+---------+-------+----------+-------|
| CVE-2016-2781 | https://nvd.nist.gov/vuln/detail/CVE-2016-2781 | coreutils |    9.1    |    1    |   0   |    0     |   1   |

INFO     Wrote: vulns.csv

@AmitKumarDas
Copy link
Author

Thanks @nlewo
Latest vulnxscan works fine now. Below is the scan I had run against nginx result built using nix2container.

nix run github:tiiuae/sbomnix#vulnxscan -- ./result
INFO     Generating SBOM for target '/nix/store/szip4s22dyppsqdv03jlscnij1mh3ldm-image-nginx.json'
INFO     Loading runtime dependencies referenced by '/nix/store/szip4s22dyppsqdv03jlscnij1mh3ldm-image-nginx.json'
INFO     Using SBOM '/tmp/vulnxscan_f49nk05q.json'
INFO     Running vulnix scan
INFO     Running grype scan
INFO     Running OSV scan
INFO     Querying vulnerabilities
INFO     Console report

Potential vulnerabilities impacting 'result' or some of its runtime dependencies:

| vuln_id        | url                                             | package   | version   |  grype  |  osv  |  vulnix  |  sum  |
|----------------+-------------------------------------------------+-----------+-----------+---------+-------+----------+-------|
| CVE-2023-2004  | https://nvd.nist.gov/vuln/detail/CVE-2023-2004  | freetype  | 2.12.1    |    0    |   0   |    1     |   1   |
| CVE-2023-1916  | https://nvd.nist.gov/vuln/detail/CVE-2023-1916  | libtiff   | 4.5.0     |    1    |   0   |    1     |   2   |
| CVE-2023-0645  | https://nvd.nist.gov/vuln/detail/CVE-2023-0645  | libjxl    | 0.7.0     |    1    |   0   |    1     |   2   |
| CVE-2023-0466  | https://nvd.nist.gov/vuln/detail/CVE-2023-0466  | openssl   | 3.0.8     |    1    |   0   |    1     |   2   |
| CVE-2023-0465  | https://nvd.nist.gov/vuln/detail/CVE-2023-0465  | openssl   | 3.0.8     |    1    |   0   |    1     |   2   |
| CVE-2023-0464  | https://nvd.nist.gov/vuln/detail/CVE-2023-0464  | openssl   | 3.0.8     |    1    |   0   |    1     |   2   |
| CVE-2022-48281 | https://nvd.nist.gov/vuln/detail/CVE-2022-48281 | libtiff   | 4.5.0     |    1    |   0   |    0     |   1   |
| CVE-2022-28506 | https://nvd.nist.gov/vuln/detail/CVE-2022-28506 | giflib    | 5.2.1     |    1    |   1   |    0     |   2   |
| OSV-2022-836   | https://osv.dev/OSV-2022-836                    | libjxl    | 0.7.0     |    0    |   1   |    0     |   1   |
| OSV-2022-674   | https://osv.dev/OSV-2022-674                    | dav1d     | 1.0.0     |    0    |   1   |    0     |   1   |
| OSV-2022-608   | https://osv.dev/OSV-2022-608                    | libjxl    | 0.7.0     |    0    |   1   |    0     |   1   |
| CVE-2021-26945 | https://nvd.nist.gov/vuln/detail/CVE-2021-26945 | openexr   | 2.5.8     |    1    |   0   |    1     |   2   |
| CVE-2021-26260 | https://nvd.nist.gov/vuln/detail/CVE-2021-26260 | openexr   | 2.5.8     |    1    |   0   |    1     |   2   |
| CVE-2021-23215 | https://nvd.nist.gov/vuln/detail/CVE-2021-23215 | openexr   | 2.5.8     |    1    |   0   |    1     |   2   |
| CVE-2021-23169 | https://nvd.nist.gov/vuln/detail/CVE-2021-23169 | openexr   | 2.5.8     |    1    |   0   |    1     |   2   |
| CVE-2021-3933  | https://nvd.nist.gov/vuln/detail/CVE-2021-3933  | openexr   | 2.5.8     |    1    |   0   |    1     |   2   |
| CVE-2021-3605  | https://nvd.nist.gov/vuln/detail/CVE-2021-3605  | openexr   | 2.5.8     |    1    |   0   |    1     |   2   |
| CVE-2021-3598  | https://nvd.nist.gov/vuln/detail/CVE-2021-3598  | openexr   | 2.5.8     |    1    |   0   |    1     |   2   |
| OSV-2021-777   | https://osv.dev/OSV-2021-777                    | libxml2   | 2.10.3    |    0    |   1   |    0     |   1   |
| OSV-2020-1610  | https://osv.dev/OSV-2020-1610                   | openexr   | 2.5.8     |    0    |   1   |    0     |   1   |
| CVE-2015-7313  | https://nvd.nist.gov/vuln/detail/CVE-2015-7313  | libtiff   | 4.5.0     |    1    |   0   |    0     |   1   |

INFO     Wrote: vulns.csv

@AmitKumarDas
Copy link
Author

Hey @nlewo I am fine with closing this issue since most of my requirements are kind of solved.

@nlewo nlewo closed this as completed Jun 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AmitKumarDas @nlewo