Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vex): support non-root components for products in OpenVEX #6728

Merged
merged 7 commits into from
May 21, 2024
Merged

feat(vex): support non-root components for products in OpenVEX #6728

merged 7 commits into from
May 21, 2024

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented May 20, 2024
edited

Background

Currently, Trivy uses VEX statements with fixed and not_affected statuses to filter out vulnerabilities.

Current Implementation

In this PR, we added limited support for OpenVEX subcomponents. With this change, VEX can be applied to scans when the product is the root component and the subcomponent is the leaf component, i.e., the component with the vulnerability. For container image scans, if the product ID is the scan subject, the PURL of the image, the VEX is applicable as the image is a root component.

image

However, it does not work with VEX for non-root components within that container image. In the following example, a VEX document for Application B doesn't work since it is a non-root component.

image

Enhancement

This PR extends that functionality to allow VEX with non-root components as the product ID to be applied as well. This means that when scanning a container image like ghcr.io/aquasecurity/trivy:0.51.1, the following VEX can be passed:

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "author": "Aqua Security",
  "role": "Maintainer",
  "timestamp": "2024-05-20T19:07:16.853479631-06:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2024-21626"
      },
      "products": [
        {
          "@id": "pkg:golang/github.com/aquasecurity/trivy",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com/opencontainers/runc"
            }
          ]
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    }
  ]
}

With this extension, there is no longer a need to issue VEX for all container images to suppress this vulnerability, and VEX for applications can be reused. In the example above, the same VEX can be applied to all container images, including the pkg:golang/github.com/aquasecurity/trivy binary.

Implementation

Applying VEX to components in the middle of the dependency tree is not straightforward because the vulnerable component may also be used by other components. This means that all possible paths must be explored to ensure that all paths are unaffected.

  1. Single path
    If Library C is used only by Library B and Library B has a VEX statement declaring "not affected", we can consider Container Image A is also not affected.

image

The VEX statement would be as follows:

  "statements": [
    {
      "vulnerability": {
        "name": "CVE-XXXX-YYYY"
      },
      "products": [
        {
          "@id": "pkg:golang/library-b",
          "subcomponents": [
            {
              "@id": "pkg:golang/library-c"
            }
          ]
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    }
  1. Multi paths

However, consider a scenario where Application A depends on Library B and Library D, and both Library B and D depend on Library C. In other words, there are multiple paths from Library C to the root component, which is Application A in this example.

In this case, even if there is a VEX statement for Library B declaring that it is not affected by the vulnerability in Library C, we cannot definitively say that Application A is not vulnerable to the vulnerability in Library C. This is because Library D might be using Library C in a vulnerable way. Therefore, we also need to check the VEX for Library D, and if it is "affected" or if no VEX exists (default is considered affected), Application A is still considered affected.

image

On the other hand, if Library D also has a VEX statement declaring it as not affected, Application A is deemed not affected.

image

In this PR, Trivy generates as complete a dependency tree as possible, performs a full path exploration, and filters out the vulnerability only when all paths to the root component are unreachable.

Note

CSAF relationship support will be implemented in another PR.

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263
feat: add package hashes
0e46de3 
[skip ci]

Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
feat(openvex): improve relationship support
11cf96a 
[skip ci]

Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
fix: rebase
550bc68 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 knqyf263 changed the title feat(vex) support non-root components for products in OpenVEX feat(vex): support non-root components for products in OpenVEX May 20, 2024
@knqyf263
test: update golden files
fc8aed5 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
chore: add comments
f60045b 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 knqyf263 marked this pull request as ready for review May 20, 2024 10:28
DmitriyLewen
DmitriyLewen reviewed May 21, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Left a couple comments.

pkg/vex/vex.go Outdated Show resolved Hide resolved
pkg/vex/vex.go Show resolved Hide resolved
knqyf263 and others added 2 commits May 21, 2024 12:55
@knqyf263 @DmitriyLewen
Update pkg/vex/vex.go
b45c21e 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
@knqyf263
chore: add an error message
34483c2 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
Copy link
Collaborator Author

@DmitriyLewen Done!

@knqyf263 knqyf263 added this pull request to the merge queue May 21, 2024
Merged via the queue into aquasecurity:main with commit 9515695 May 21, 2024
12 checks passed
@knqyf263 knqyf263 deleted the feat/vex_relationships branch May 21, 2024 10:23
@knqyf263 knqyf263 mentioned this pull request May 21, 2024
Merged
6 tasks
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@knqyf263 @DmitriyLewen