Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Share which file is vulnerable when reporting an intra-file vulnerability in the default table output #1199

Open
luhring opened this issue Mar 28, 2023 · 2 comments · May be fixed by #1275
Open

Share which file is vulnerable when reporting an intra-file vulnerability in the default table output #1199

luhring opened this issue Mar 28, 2023 · 2 comments · May be fixed by #1275
Labels
enhancement New feature or request

Comments

@luhring
Copy link
Contributor

luhring commented Mar 28, 2023

What would you like to be added:

In the default output format, for image scans (or really, any scan of a target that contains multiple files), when reporting a vulnerability for a dependency inside a file (e.g. a module compiled into a Go binary), show which file has the vulnerability.

Why is this needed:

Without this feature, the output row for these kinds of vulnerabilities is not very helpful.

If I'm trying to ensure my image has as few vulnerabilities as possible, and I'm using Grype to help me, I want to get to the point where I can do something about every given vulnerability as quickly as possible. Any factor that gets in my way of doing this is noticeable friction added to my process of getting the job done.

For a distro package, (e.g. apk type), remediation is obvious. From anywhere in the image (or Dockerfile, etc.) I can run apk add -u pkgName and I'm done.

But for cases like Go binaries, JARs, etc. — there is a missing layer of hierarchy in Grype's table output. I see the vulnerable package, and I know what image I scanned, but I'm missing a crucial piece of information: the file itself. So I need to re-run the scan with a more helpful output.

Here's an example:

$ grype -q quay.io/cilium/hubble-ui-backend:v0.10.0
NAME                      INSTALLED                           FIXED-IN                           TYPE       VULNERABILITY        SEVERITY
github.com/cilium/cilium  v1.12.4                                                                go-module  CVE-2023-27593       Medium
github.com/cilium/cilium  v1.12.4                                                                go-module  CVE-2023-27594       High
github.com/cilium/cilium  v1.12.4                             1.12.8                             go-module  GHSA-4hc4-pgfx-3mrx  Medium
github.com/cilium/cilium  v1.12.4                             1.12.8                             go-module  GHSA-8fg8-jh2h-f2hc  Medium
golang.org/x/net          v0.4.0                              0.7.0                              go-module  GHSA-vvpx-j8f3-3w6h  High
golang.org/x/sys          v0.0.0-20210902050250-f475640dd07b  0.0.0-20220412211240-33da011f77ad  go-module  GHSA-p782-xgp4-8hr8  Medium

Which Go binary (or binaries, plural?) has the vulnerability? I have no idea. In the very best case, the image only has a single Go binary, and I have this knowledge in advance. But in all other cases, this Grype scan brought me no closer to a solution for those vulnerabilities.

Additional context:

The "default" piece of this ask might be more important than one would think. In practice, for better or for worse, I've seen lots of people sharing screenshots (or console copy/paste like the above example) of the table view. Of course, in some cases, folks are persisting a more machine-readable format, like the native JSON output or SARIF. But still, lots of times this isn't the case. And it would be great for folks on the receiving end of these snippets to more readily understand what Grype found.

cc: @kzantow
@luhring luhring added the enhancement New feature or request label Mar 28, 2023
@kzantow kzantow added this to OSS Mar 28, 2023
@kzantow kzantow moved this to Backlog in OSS Mar 28, 2023
@tgerla tgerla mentioned this issue Apr 6, 2023
Closed
jneate added a commit to jneate/grype that referenced this issue May 6, 2023
@jneate
feat: include file location in table output (anchore#1199)
4e8df15 
Signed-off-by: James Neate <[email protected]>
@jneate jneate linked a pull request May 6, 2023 that will close this issue
Open
jneate added a commit to jneate/grype that referenced this issue May 28, 2023
@jneate
feat: include file location in table output (anchore#1199)
558a210 
Signed-off-by: James Neate <[email protected]>
@kzantow
Copy link
Contributor

kzantow commented Mar 11, 2024

DEVELOPER NOTES: After some internal discussion with the team, we think implementing this feature would be good but an implementation should consider a few things:

  • we do not want the location to be output by default in the table view, as locations can be (and often are!) very long, this would make the table unwieldy, which is contradictory to the purpose of the table: having a simple summary view. however, we could make the columns that get displayed configurable (e.g. columns=name,vulnerability,location) but since table is a format type, a flag like --table-columns is mutually exclusive to the other output formats and we'd like to avoid this, instead favoring just structured configuration (like env var GRYPE_FORMAT_TABLE_COLUMNS=... or analogous YAML)
  • syft format configuration is done using a pattern consistent throughout the application in a number of ways: get a list of preconfigured format providers to pick from rather than configuration resulting in a single formatter object. we should probably use this feature to rework the grype presenters to be configured and used similar to the syft formats in this regard.
  • we probably want to continue to output 1-line-per-result. some possibilities for solving the "very wide table" problem could involve putting locations on a second line or similar, but this would break any tools using the table output as a simple way to get a list of CVEs using something like cut
  • as noted in the PR feat: include file location in table output (#1199) #1275, it also could be nice to have a configuration for omitting certain types from the location by default, such as rpm or dpkg packages, which tend to reference the same file(s) and provide limited value

@luhring
Copy link
Contributor Author

luhring commented Apr 1, 2024

One note I'll add is that I actually think Trivy has solved this problem really elegantly in their table output.

They don't cram all vuln matches of all kinds into a single table, they create "context-relevant" tables for distro packages and individual files.

Here's a simple example:

image

In this case, they found vulnerabilities in just one file. Instead of putting that file path (which to your point, could have been very long) inside a column somewhere, they factor it out and give the path its own table.

This is hugely beneficial to someone trying to use the tool to get real remediation work done.

For the example above, Grype just shows github.com/docker/docker. And the image could have had hundreds of binary paths to look in. Asking users to "use the JSON output" would solve their problem, but at an enormous cost of verbosity. Taking an approach like Trivy's would make the table more valuable without incurring much cost.

Food for thought!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: include file location in table output (#1199) jneate/grype
2 participants
@kzantow @luhring