Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vex): CSAF support #1826

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(vex): CSAF support #1826

wants to merge 4 commits into from

Conversation

juan131
Copy link

@juan131 juan131 commented Apr 25, 2024

Following #1397, this PR extends VEX support for ignoring/adding matches based on Vulnerability Exploitability Exchange data so it also accepts CSAF format.

The PR also refactors the grype/vex package since now there's more than one supported VEX format (CSAF & OpenVEX) and it requires the vex processor to be able to distinguish between VEX formats and apply a different implementation.

Credits to @joancafom as the designer of this implementation.

Use case

Given a CSAF VEX document such as the one below:

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "Example Company VEX document. Unofficial content for demonstration purposes only.",
        "title": "Author comment"
      }
    ],
    "publisher": {
      "category": "vendor",
      "name": "Example Company ProductCERT",
      "namespace": "https://psirt.example.com"
    },
    "title": "AquaSecurity example VEX document",
    "tracking": {
      "current_release_date": "2022-03-03T11:00:00.000Z",
      "generator": {
        "date": "2022-03-03T11:00:00.000Z",
        "engine": {
          "name": "Secvisogram",
          "version": "1.11.0"
        }
      },
      "id": "2022-EVD-UC-01-A-001",
      "initial_release_date": "2022-03-03T11:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-03-03T11:00:00.000Z",
          "number": "1",
          "summary": "Initial version."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.6.0",
                "product": {
                  "name": "Spring Boot 2.6.0",
                  "product_id": "SPB-00260",
                  "product_identification_helper": {
                    "purl": "pkg:apk/alpine/[email protected]?arch=aarch64&upstream=openssl&distro=alpine-3.17.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Spring Boot"
          }
        ],
        "category": "vendor",
        "name": "Spring"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-1255",
      "notes": [
        {
          "category": "description",
          "text": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "SPB-00260"
        ]
      },
      "threats": [
        {
          "category": "impact",
          "details": "Class with vulnerable code was removed before shipping.",
          "product_ids": [
            "SPB-00260"
          ]
        }
      ]
    }
  ]
}

You can use it so Grype suppresses the vulnerability which status is known_not_affected given the justification Class with vulnerable code was removed before shipping:

$ go run ./cmd/grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --vex csaf-demo.json --show-suppressed
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                        alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
 ✔ Parsed image                                               sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                                d0279448938d2200b7dcdcb5dcf5801569b25f549e5c744ca4bcdd52f7367628
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File digests                    [78 files]
   ├── ✔ File metadata                   [78 locations]
   └── ✔ Executables                     [17 executables]
 ✔ Scanned for vulnerabilities     [21 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   22 fixed, 0 not-fixed, 1 ignored
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libcrypto3  3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libcrypto3  3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libcrypto3  3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libcrypto3  3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libcrypto3  3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libcrypto3  3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libcrypto3  3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libcrypto3  3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libcrypto3  3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown
libcrypto3  3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium (suppressed by VEX)
libssl3     3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libssl3     3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libssl3     3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libssl3     3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libssl3     3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libssl3     3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libssl3     3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libssl3     3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libssl3     3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libssl3     3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libssl3     3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown

@juan131
Copy link
Author

juan131 commented Apr 25, 2024

Still a drat since it's missing unit & integration tests

@juan131 juan131 marked this pull request as ready for review April 29, 2024 08:55
@juan131
Copy link
Author

juan131 commented Apr 29, 2024

Unit & integration tests added

@juan131
Copy link
Author

juan131 commented Apr 29, 2024

cc @wagoodman

@carrodher
Copy link

Hi @wagoodman, is there anything we can help with at this time?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Stalled
Development

Successfully merging this pull request may close these issues.

3 participants