-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vex): support non-root components for products in OpenVEX #6728
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[skip ci] Signed-off-by: knqyf263 <[email protected]>
[skip ci] Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
knqyf263
changed the title
feat(vex) support non-root components for products in OpenVEX
feat(vex): support non-root components for products in OpenVEX
May 20, 2024
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Left a couple comments.
Co-authored-by: DmitriyLewen <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
@DmitriyLewen Done! |
DmitriyLewen
approved these changes
May 21, 2024
6 tasks
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
Currently, Trivy uses VEX statements with
fixed
andnot_affected
statuses to filter out vulnerabilities.Current Implementation
In this PR, we added limited support for OpenVEX subcomponents. With this change, VEX can be applied to scans when the product is the root component and the subcomponent is the leaf component, i.e., the component with the vulnerability. For container image scans, if the product ID is the scan subject, the PURL of the image, the VEX is applicable as the image is a root component.
However, it does not work with VEX for non-root components within that container image. In the following example, a VEX document for Application B doesn't work since it is a non-root component.
Enhancement
This PR extends that functionality to allow VEX with non-root components as the product ID to be applied as well. This means that when scanning a container image like
ghcr.io/aquasecurity/trivy:0.51.1
, the following VEX can be passed:With this extension, there is no longer a need to issue VEX for all container images to suppress this vulnerability, and VEX for applications can be reused. In the example above, the same VEX can be applied to all container images, including the
pkg:golang/github.com/aquasecurity/trivy
binary.Implementation
Applying VEX to components in the middle of the dependency tree is not straightforward because the vulnerable component may also be used by other components. This means that all possible paths must be explored to ensure that all paths are unaffected.
If Library C is used only by Library B and Library B has a VEX statement declaring "not affected", we can consider Container Image A is also not affected.
The VEX statement would be as follows:
However, consider a scenario where Application A depends on Library B and Library D, and both Library B and D depend on Library C. In other words, there are multiple paths from Library C to the root component, which is Application A in this example.
In this case, even if there is a VEX statement for Library B declaring that it is not affected by the vulnerability in Library C, we cannot definitively say that Application A is not vulnerable to the vulnerability in Library C. This is because Library D might be using Library C in a vulnerable way. Therefore, we also need to check the VEX for Library D, and if it is "affected" or if no VEX exists (default is considered affected), Application A is still considered affected.
On the other hand, if Library D also has a VEX statement declaring it as not affected, Application A is deemed not affected.
In this PR, Trivy generates as complete a dependency tree as possible, performs a full path exploration, and filters out the vulnerability only when all paths to the root component are unreachable.
Note
CSAF relationship support will be implemented in another PR.
Related issues
Related PRs
Checklist