Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add VEX document and generator for Trivy #7128

Merged
merged 14 commits into from
Jul 10, 2024
Merged

chore: add VEX document and generator for Trivy #7128

merged 14 commits into from
Jul 10, 2024

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Jul 9, 2024

Overview

This PR introduces an OpenVEX generator for Trivy. This tool generates OpenVEX with govulnchedk to reduce false positives in vulnerability scanning by explicitly declaring "not_affected" statements for vulnerabilities that do not impact Trivy.

Key Features

  • Generates OpenVEX documents for Trivy versions v0.40.0 and later and combine them
  • Focuses solely on "not_affected" statements to address false positives, not "fixed" and "affected"
  • Optimizes VEX representation by omitting version information for vulnerabilities that are "not_affected" across all versions

I chose v0.40.0, not for any particular reason, but because it is old enough that I thought many users would be using a newer version than that.

Implementation Details

  1. The script clones or updates the Trivy repository
  2. It retrieves and processes tags (versions) starting from v0.40.0
  3. For each tag, it runs govulncheck to generate VEX documents
  4. The generated VEX documents are then combined and optimized

Addressing govulncheck Limitations

The current version of govulncheck (v1.1.2) has some limitations:

To overcome these issues, our script:

  • Fills in the correct product information by our script
  • Uses the JSON format (govulncheck -format json) in conjunction with OpenVEX to gather additional data, such as subcomponents
  • Determines the actual "not_affected" status by combining information from both formats

This will improve as more features are added to govulncheck.

Optimization Strategy

While it's possible for a vulnerability to be "affected" in one version and "not_affected" in another, let's say Trivy v0.50.0 uses a vulnerable function, Solver.Solve in moby/buildkit, but stop using the function in v0.51.0, I assume this is relatively rare. Therefore, for vulnerabilities that are "not_affected" and "fixed" across all versions from v0.40.0 onwards, we declare them as "not_affected" for all Trivy versions by omitting the version in the product PURL. The product ID would be pkg:golang/github.com/aquasecurity/trivy rather than ``pkg:golang/github.com/aquasecurity/[email protected]`.

Please refer to the committed OpenVEX file in this PR for concrete examples of the generated output.

Next Steps

  • Automate the process with GitHub Actions
  • Consider expanding coverage to versions prior to v0.40.0 if deemed necessary

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 requested a review from DmitriyLewen July 9, 2024 07:55
@knqyf263 knqyf263 self-assigned this Jul 9, 2024
@knqyf263 knqyf263 changed the title chore: add VEX generator and a document for Trivy chore: add VEX document and generator for Trivy Jul 9, 2024
@knqyf263 knqyf263 marked this pull request as ready for review July 9, 2024 08:01
@knqyf263
fix: lint errors
a451b96 
Signed-off-by: knqyf263 <[email protected]>
DmitriyLewen
DmitriyLewen reviewed Jul 9, 2024
View reviewed changes
misc/vex/vex.go Outdated Show resolved Hide resolved
misc/vex/vex.go Outdated Show resolved Hide resolved
misc/vex/vex.go Outdated Show resolved Hide resolved
@nikpivkin
Copy link
Contributor

Why is the file vex.go in misc and not in magefiles?

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Jul 9, 2024
edited
Loading

Why is the file vex.go in misc and not in magefiles?

Yeah, it's better to put it in magefiles. I didn't mean to commit this file at the beginning, and I found some issues in govuncheck. After all, the script is not small anymore and I committed it. I didn't carefully think about the script. I'll move it.

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Jul 9, 2024

Why is the file vex.go in misc and not in magefiles?

Moved
527b033

nikpivkin
nikpivkin reviewed Jul 9, 2024
View reviewed changes
magefiles/vex.go Outdated
Author: "Aqua Security",
Timestamp: lo.ToPtr(time.Now()),
Version: doc.Version + 1,
Tooling: "https://github.com/aquasecurity/trivy/tree/main/misc/vex/vex.go",
Copy link
Contributor

@nikpivkin nikpivkin Jul 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be updated

Suggested change
Tooling: "https://github.com/aquasecurity/trivy/tree/main/misc/vex/vex.go",
Tooling: "https://github.com/aquasecurity/trivy/tree/main/magefiles/vex.go",

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I also updated the field in the VEX file. @id should be re-calculated technically, but I believe it doesn't matter.
edfc903

@knqyf263 @nikpivkin
Update magefiles/vex.go
07c5f24 
Co-authored-by: Nikita Pivkin <[email protected]>
@knqyf263 knqyf263 mentioned this pull request Jul 9, 2024
Closed
@knqyf263
chore: update vex
edfc903 
Signed-off-by: knqyf263 <[email protected]>
DmitriyLewen
DmitriyLewen reviewed Jul 10, 2024
View reviewed changes
magefiles/magefile.go
Comment on lines +474 to +476
func VEX(_ context.Context, dir string) error {
return sh.RunWith(ENV, "go", "run", "-tags=mage_vex", "./magefiles/vex.go", "--dir", dir)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about output flag?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably don't need the output flag because the VEX file should be written under .vex/. I added it for local debugging, though.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All arguments are mandatory and must be specified in the order they appear in the function.

All arguments are mandatory in Mage.
https://magefile.org/targets/

It means we have to specify .vex/vex.json every time.

magefiles/vex.go Show resolved Hide resolved
DmitriyLewen
DmitriyLewen approved these changes Jul 10, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knqyf263
fix: use name only
c4d55ea 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263 knqyf263 enabled auto-merge July 10, 2024 06:01
@knqyf263 knqyf263 added this pull request to the merge queue Jul 10, 2024
Merged via the queue into aquasecurity:main with commit d2f4da8 Jul 10, 2024
12 checks passed
@knqyf263 knqyf263 deleted the chore/gen_vex branch July 10, 2024 06:42
@knqyf263 knqyf263 mentioned this pull request Jul 10, 2024
Merged
6 tasks
skahn007gl pushed a commit to skahn007gl/trivy that referenced this pull request Jul 23, 2024
@knqyf263 @nikpivkin @skahn007gl
chore: add VEX document and generator for Trivy (aquasecurity#7128)
b6dd679 
Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: Nikita Pivkin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikpivkin nikpivkin nikpivkin approved these changes

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@knqyf263 @nikpivkin @DmitriyLewen