-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrating Rancher VEX files into Aqua VEX Hub #23
Comments
Hey @knqyf263. Thanks for your message and for noticing our efforts around VEX. We truly appreciate Trivy's work on this and the amazing idea of VEX Hub, which we are using extensively to remove known false-positives CVEs in our codes and images. We would love to collaborate on this and share our reports to Trivy's VEX Hub, so then more users can benefit from them. We have a central automation in place, with automatic and manual VEX, from where we ran our scans and generate the reports. Given this current model, the best solution to share the reports seems to be:
In the future we might add the reports to each repo under the All the VEX reports under:
Are fully owned and vetted by SUSE Rancher, so we can safely share them with Trivy's VEX Hub. We can implement a daily automation to submit PRs every time that they are updated or, as you mentioned, register them in https://github.com/aquasecurity/vexhub-crawler/blob/main/crawler.yaml, which seems to be the ideal method, right? If yes, can you share examples on how to register the direct VEX Hub reports URLs, please? |
Yes. Adding the following lines to the manifest should work.
But I found a small problem. I'll update you once we fix it. |
@knqyf263 thanks! Will wait for your ping. |
Upstream PRs to integrate with Trivy's VEX Hub:
|
@knqyf263 do you want me to submit the PRs to add our other projects ^ ? |
Yes, it would be appreciated! |
I found one problem. The subcomponent in Rancher VEX files has However, Trivy doesn't have the
Due to this discrepancy, vulnerabilities are not correctly suppressed. The spec uses commit hashes and doesn't mention versions. The Go It looks like there is a discussion about the leading |
Other tools may not handle both cases, so adding both to VEX may be one of the options.
|
Thanks for bringing this topic and it's a funny/sad discussion about Go's When we first noticed this, we started to use our own forked version of govulncheck while this situation isn't defined by upstream. See the diff. Our fork is adding the affected dependency and version. This forked version correctly generates a VEX entry that works with Trivy and is a valid OpenVEX report. We plan to remove our fork once golang/go#68152 is implemented (hopefully). Trivy and VEX in Rancher are used to scan our released container images. For example, if you pass this VEX file to Trivy and scan the image Image scan without VEX
Image scan with VEX
What I just noticed now is that if I do the same scan, but instead of scanning the image I scan the repo, then it will not remove the VEXed entry, because the affected version reported by Trivy doesn't have the Repo scan without VEX
Repo scan with VEX
Do you also see the difference between the affected version in repo scan versus image scan? I think that we can add the VEX entry for the versions without the |
Perhaps the best solution for now is for us to add VEX entries for both I honestly have no idea what would be the right way, given the upstream situation and the PURL spec as you mentioned. |
Oh, yes. You're right. We currently remove the I also have no idea about the canonical version format in PURL, but we can use versions with the prefix for now. Once PURL defines the spec, we can conform to that. |
Rancher VEX documents newly registered in Aqua VEX Hub work like a charm with container images, as you pointed out 🎉
Thanks for your help! Once we fix aquasecurity/trivy#7711, I'm sure it will work with go.mod as well. |
Thanks for sharing that issue and PR. I wasn't aware of it. I'll monitor it for when it's merged.
Agree. When the definition is done we will update our reports to match the upstream spec. |
Nice!
Indeed! And we thank you and Aqua for developing this amazing feature. It helps a lot to fight the false-positive CVE noise and fatigue. |
I'll be submitting the PRs to add the other projects until tomorrow, then I'll close this issue. |
Hopefully, we'll include it in v0.57.0.
We thank you, too. We believed VEX Hub would reduce noise, but it would be useless if no one generated VEX and added it to VEX Hub.
Great. Thanks for your contribution! |
All merged, and Rancher VEXes are available now on Aqua VEX Hub! Thank you so much! I'd mention Rancher VEX Hub in my talk next month. Please let me know if you wouldn't like me to do that. |
All possible integrations have been done (see comment #23 (comment)). |
Thanks for the quick merge!
@knqyf263 please, feel free to do it. We'll be very glad 🙇🏻 |
Hello Rancher team,
We're reaching out from the Trivy team to discuss the possibility of integrating some of your VEX files into Aqua VEX Hub. We greatly appreciate your adoption of the VEX Repository and are pleased to see it being used as intended.
Background
The Aqua VEX Hub operates on a trust model where VEX files issued by software maintainers are recognized and trusted. We encourage third-party vendors to publish their own VEX repositories, as Rancher does. Trivy provides flexibility by allowing users to set priorities for VEX repositories, enabling them to trust different VEX issuers as needed.
Upon reviewing the Rancher VEX Hub, we noticed that several VEX files appear to be issued in your capacity as a maintainer. Specifically, we identified VEX files for
pkg:golang/github.com/rancher/rancher
pkg:golang/github.com/k3s-io/k3s
Proposed Collaboration
We would like to propose registering these maintainer-issued VEX files in the Aqua VEX Hub. This integration would benefit users by transparently reducing noise in Trivy scans, as the Aqua VEX Hub is enabled by default in Trivy.
To facilitate this integration, we suggest two possible methods:
.vex/
directory in each source repository and add the PURLs to the VEX Hub Crawler.github.com/rancher/rancher/.vex/scan.openvex.json
.If you're interested in pursuing this collaboration, we're more than willing to assist with adding these VEX files to the Aqua VEX Hub.
The text was updated successfully, but these errors were encountered: