Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve VEX reports to handle Go's versioned entries without the v prefix #27

Closed
macedogm opened this issue Oct 24, 2024 · 5 comments
Closed

Improve VEX reports to handle Go's versioned entries without the v prefix #27

macedogm opened this issue Oct 24, 2024 · 5 comments
Assignees
@macedogm
Labels
enhancement New feature or request

Comments

@macedogm
Copy link
Member

While working on #23 (comment) (see the comments below the linked one) we, together with Trivy's team, identified that there are discrepancies (aquasecurity/trivy#7242) in the way that Trivy generates the affected version for Go's dependencies when scanning in image versus repo mode.

This happens, partially, because Go itself (golang/go#68152) doesn't properly follow the PURL spec (package-url/purl-spec#294) and adds the v prefix to the dependencies' versions.

The plan is to have doubled VEX entries for Go packages containing both the v prefix and without it. This way we believe that we can be sure that any VEX scanner will correctly match our VEXed entries.
@macedogm macedogm added the enhancement New feature or request label Oct 24, 2024
@macedogm macedogm self-assigned this Oct 24, 2024
@macedogm
Copy link
Member Author

Trivy is working on fixing the v removal in aquasecurity/trivy#7711.

@macedogm
Copy link
Member Author

PR which adds the initial duplicated entries to fix this - #28.

@macedogm
Copy link
Member Author

Now Rancher's VEX Hub reports have the needed entry for Go dependencies and can properly remove false-positives with Trivy in both repo and image scan modes. This should be synced soon to Trivy's VEX Hub too.

Repo scan with Rancher's VEX Hub

> trivy -q repo -s CRITICAL,HIGH --tag v1.29.8-build20240910 --vex repo --show-suppressed https://github.com/rancher/image-build-rke2-cloud-provider

go.mod (gomod)

Total: 0 (HIGH: 0, CRITICAL: 0)


Suppressed Vulnerabilities (Total: 2)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │    Status    │              Statement              │                           Source                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/docker/docker                                     │ CVE-2024-41110 │ CRITICAL │ not_affected │ vulnerable_code_not_present         │ VEX Repository: default (https://github.com/rancher/vexhub) │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤              ├─────────────────────────────────────┤                                                             │
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │              │ vulnerable_code_not_in_execute_path │                                                             │
│ rg/grpc/otelgrpc                                             │                │          │              │                                     │                                                             │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Image scan with Rancher's VEX Hub

> trivy -q i -s CRITICAL,HIGH --vex repo --show-suppressed rancher/rke2-cloud-provider:v1.29.8-build20240910

usr/local/bin/rke2-cloud-provider (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)


Suppressed Vulnerabilities (Total: 2)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │    Status    │              Statement              │                           Source                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/docker/docker                                     │ CVE-2024-41110 │ CRITICAL │ not_affected │ vulnerable_code_not_in_execute_path │ VEX Repository: default (https://github.com/rancher/vexhub) │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤              │                                     │                                                             │
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │              │                                     │                                                             │
│ rg/grpc/otelgrpc                                             │                │          │              │                                     │                                                             │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────────────┴─────────────────────────────────────────────────────────────┘
gmacedo@localhost:~/code/github.com/macedogm> trivy -q repo -s CRITICAL,HIGH --tag v1.29.8-build20240910 --vex repo --show-suppressed https://github.com/rancher/image-build-rke2-cloud-provider

@macedogm
Copy link
Member Author

@knqyf263 FYI ^

@knqyf263
Copy link

Awesome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@macedogm macedogm

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knqyf263 @macedogm