Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VEX Autodiscovery! #1619

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

VEX Autodiscovery! #1619

wants to merge 14 commits into from

Conversation

puerco
Copy link
Contributor

@puerco puerco commented Nov 29, 2023

This PR adds autodiscovery capabilities to the VEX processor when scanning container images.

The discovery feature is disabled by default, this PR proposes a new --vex-autodiscover flag that starts the autodiscover flow when set.

The whole autodiscover logic is performed by the openvex/discovery module. It looks for OpenVEX attestations attached using the sigstore attestation spec to the container image being scanned. If any are found, they are retrieved from the image registry and any applicable OpenVEX statements are added to the VEX history computation. In other words, any documents found attached to the image are mixed with those specified via the command line with --vex.

This implements most of 3 & 4 of our plan outlined in #1365

At this time we are not performing any signature verification or lookups in other registries.

Signed-off-by: Adolfo Garcia Veytia (puerco) [email protected]

@puerco
Copy link
Contributor Author

puerco commented Nov 29, 2023

@wagoodman : please let me know what you think about the approach I'm taking. Let's also discuss adding the audit trail to the raw json scan results.

@puerco puerco force-pushed the vex-discovery branch 7 times, most recently from 180c951 to 8436b9b Compare December 1, 2023 22:15
@kzantow
Copy link
Contributor

kzantow commented Feb 14, 2024

Hi @puerco, I had a look through this and I think it looks pretty good. Is there a possibility of adding some sort of test for this, though?

@wagoodman wagoodman self-assigned this Feb 14, 2024
puerco and others added 9 commits June 11, 2024 10:05
This commit imports the openvex autodiscovery module

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commits adds a new vex-autodiscover option that enables
the VEX discovery mechanism. It is exposed as a flag, in the
config file or via an environment variable.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit replaces the internal logic that computes
software identifiers from images and delegates it
to the OpenVEX OCI module.

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
The generation of identifiers is now handled by the openvex discovery module so we
drop it from the vex processor implementation and also delete the test file.

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
As we now delegate the generation of identifiers to the openvex libraries,
we pass the user input string verbatim instead of using the stereoscope
reference in the tests.

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
Copy link
Contributor

wagoodman commented Jun 11, 2024

Existing results:

$ grype ghcr.io/anchore/test-images/vex-oci-attach@sha256:8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce
b83488f70ce

NAME         INSTALLED            FIXED-IN  TYPE  VULNERABILITY   SEVERITY   
coreutils    9.4-3ubuntu6                   deb   CVE-2016-2781   Low         
gpgv         2.4.4-2ubuntu17                deb   CVE-2022-3219   Low         
libc-bin     2.39-0ubuntu8.2                deb   CVE-2016-20013  Negligible  
libc6        2.39-0ubuntu8.2                deb   CVE-2016-20013  Negligible  
libgcrypt20  1.10.3-2build1                 deb   CVE-2024-2236   Medium      
liblzma5     5.6.1+really5.4.5-1            deb   CVE-2020-22916  Medium      
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-4741   Low         
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-4603   Low         
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-2511   Low         
libsystemd0  255.4-1ubuntu8                 deb   CVE-2023-7008   Low         
libudev1     255.4-1ubuntu8                 deb   CVE-2023-7008   Low

Results with vex applied:

$ grype ghcr.io/anchore/test-images/vex-oci-attach@sha256:8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce
b83488f70ce  --vex ./vex.json

NAME         INSTALLED            FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
libgcrypt20  1.10.3-2build1                 deb   CVE-2024-2236   Medium    
liblzma5     5.6.1+really5.4.5-1            deb   CVE-2020-22916  Medium    
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-4741   Low       
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-4603   Low       
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-2511   Low

Results with vex autodiscover:

$ grype ghcr.io/anchore/test-images/vex-oci-attach@sha256:8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce
b83488f70ce  --vex-autodiscover

NAME         INSTALLED            FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
libgcrypt20  1.10.3-2build1                 deb   CVE-2024-2236   Medium    
liblzma5     5.6.1+really5.4.5-1            deb   CVE-2020-22916  Medium    
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-4741   Low       
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-4603   Low       
libssl3t64   3.0.13-0ubuntu3.1              deb   CVE-2024-2511   Low

... it appears to be working 🌮 🎉 I'll get an integration test going that uses this image and asserts that the results are non zero and specific CVEs are also not present.

@wagoodman
Copy link
Contributor

I've made a few changes:

  • updated the vex processor interface to not require any types in signatures. I see the reason for it: so we can support more than one vex implementation in the future. But one side effect is that there are type assertions being done to get the vex document out that won't scale well. Since the implementation object is responsible for loading the vex documents and using them, I made these documents a side effect on the object and the interface really captured the flow of matches/ignored matches only.
  • since we're IO bound on the auto discover, I bumped it to start before vulnerability matching and also allowed for concurrent resolution of each identity independently.
  • added a CLI test to show that local vex processing and auto discover work the same way
  • added TUI interactions with the vex auto discover, since it may result in real time waiting on responses from registries

What's left: we need a way to persist which vex documents were used somehow into the grype results. From what I can tell, the openvex utilities being used here are a bit of a facade: they are returning results without letting me know where the results came from (a URL). Is there a way to get this information? or a compromise to figure the information without explicitly getting it from the openvex lib?

@puerco
Copy link
Contributor Author

puerco commented Jun 18, 2024

@wagoodman do you want to keep the source location of the document or just the document ID? I think the results should keep both.

@wagoodman
Copy link
Contributor

Agreed -- if possible both a url and a doc ID would be ideal to keep.

@wagoodman
Copy link
Contributor

@puerco I'd love to get this in, and pushed several changes to the PR, I think there is still only the outstanding question about how to get some information about where the vex docs are pulled from in the final grype document.

@wagoodman
Copy link
Contributor

@puerco friendly nudge

@puerco
Copy link
Contributor Author

puerco commented Nov 15, 2024

Wuooa sorry @wagoodman I totally forgot about this and just happened to see your ping on my phone.

I'm at KubeCon rn but let me get back to it after this mad week!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Stalled
Development

Successfully merging this pull request may close these issues.

3 participants