-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: update alpine matchers to use SecDB entries as fixed information rather than vuln source #1318
Conversation
we only want to match on cpe without sec db fixes Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@luhring ^ re #970 does this look correct - I still need to update the tests (since we're not matching on specific cases anymore) Summary of changes:
I don't think we have a mechanism yet to use the feed to flip OFF(remove) vulnerabilities - but am taking a look at this now - I just wanted to be sure this was the spot you were discussing =) - apologies for the stale issue here! |
Super late response! 🤦 Yes I think this is looking good! |
Awesome thanks! I'll go ahead and rebase this and get the tests updated so we can get it released =) |
* main: (137 commits) chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#1564) Add --ignore-states flag for ignoring findings with specific fix states (#1473) feat: update go-sarif library to use latest release (#1563) bump clio to get stderr reporting fix (#1561) chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.2 to 1.4.3 (#1558) chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0 to 0.9.1 (#1557) Add checksum signing (#1535) chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (#1554) feat: disable CPE-based matching for GHSA ecosystems by default (#1412) chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1552) chore(deps): update Syft to v0.93.0 (#1550) chore(deps): bump gorm.io/gorm from 1.25.4 to 1.25.5 (#1547) chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 to 0.9.0 (#1548) chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#1549) chore(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#1544) fix: empty descriptor name and version (#1542) chore: removes unnecessary conditional (#1539) chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10 to 0.4.11 (#1533) chore(deps): update Syft to v0.92.0 (#1527) chore(deps): update bootstrap tools to latest versions (#1524) ...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Unit/Integration tests should be fixed now to reflect the CPE only matching directive now - the final part of this PR is to update the quality gate data. |
Something to note in the example for
Which matches the secfix comment from the APKBUILD file at v3.18.0 (through
Note the However, the commit that put in the patch and bumped the version to 1.1.5 seems to have copy-pasted the wrong version: diff --git a/community/runc/APKBUILD b/community/runc/APKBUILDindex 12b009c0a06..fc56095c90c 100644--- a/community/runc/APKBUILD+++ b/community/runc/APKBUILD@@ -4,19 +4,22 @@ pkgname=runc pkgdesc="CLI tool for spawning and running containers according to the OCI specification" url="https://www.opencontainers.org"-_commit=5fd4c4d144137e991c4acebb2146ab1483a97925-pkgver=1.1.4-pkgrel=7+_commit=f19387a6bec4944c770f7668ab51c4348d9c2f38+pkgver=1.1.5+pkgrel=0 arch="all" license="Apache-2.0" makedepends="bash go go-md2man libseccomp-dev libtool" subpackages="$pkgname-doc" source="https://github.com/opencontainers/runc/archive/v$pkgver/runc-$pkgver.tar.gz- CVE-2023-27561.patch " options="!check" # secfixes:+# 1.1.4-r0:+# - CVE-2023-25809+# - CVE-2023-27561+# - CVE-2023-28642 # 1.1.4-r7: # - CVE-2023-27561 # 1.1.2-r0:@@ -47,6 +50,5 @@ package() { } sha512sums="-c8e79ad839964680d29ab56a4de255f91192741951673025da6889c544a232d4d392db2da8005d8e22999a37bfbc9c9fe7f6043b165bc4edc2f2a29261d8a3d6 runc-1.1.4.tar.gz-47aa4d15e4b0e0ea419566361f95b26af24e71ff4b77e440f23b9f6f6c62cdb56e4e290f8d6c2b9f2622b76f0d5201b975e146a723b2ef64d1585499d7680323 CVE-2023-27561.patch+f3cc9b93b0fe8a4341d410010fe584febb8e975ec9e0fd569d7dff33ab74c5821a2e0c40b7aeafd6b90991a50eae9c352342437f09cf6884dc850ceccdc68944 runc-1.1.5.tar.gz "
--
diff --git a/community/runc/APKBUILD b/community/runc/APKBUILD
index 12b009c0a06..fc56095c90c 100644
--- a/[community/runc/APKBUILD](https://git.alpinelinux.org/aports/tree/community/runc/APKBUILD?h=3.18-stable&id=2782d1ed755d99b0864271e13759ec666656b493)
+++ b/[community/runc/APKBUILD](https://git.alpinelinux.org/aports/tree/community/runc/APKBUILD?h=3.18-stable&id=87362059d03b6abc02a72b6bb5d03231e6e574c7)
@@ -4,19 +4,22 @@
pkgname=runc
pkgdesc="CLI tool for spawning and running containers according to the OCI specification"
url="https://www.opencontainers.org"
-_commit=5fd4c4d144137e991c4acebb2146ab1483a97925
-pkgver=1.1.4
-pkgrel=7
+_commit=f19387a6bec4944c770f7668ab51c4348d9c2f38
+pkgver=1.1.5
+pkgrel=0
arch="all"
license="Apache-2.0"
makedepends="bash go go-md2man libseccomp-dev libtool"
subpackages="$pkgname-doc"
source="https://github.com/opencontainers/runc/archive/v$pkgver/runc-$pkgver.tar.gz
- CVE-2023-27561.patch
"
options="!check"
# secfixes:
+# 1.1.4-r0:
+# - CVE-2023-25809
+# - CVE-2023-27561
+# - CVE-2023-28642
# 1.1.4-r7:
# - CVE-2023-27561
# 1.1.2-r0:
@@ -47,6 +50,5 @@ package() {
}
sha512sums="
-c8e79ad839964680d29ab56a4de255f91192741951673025da6889c544a232d4d392db2da8005d8e22999a37bfbc9c9fe7f6043b165bc4edc2f2a29261d8a3d6 runc-1.1.4.tar.gz
-47aa4d15e4b0e0ea419566361f95b26af24e71ff4b77e440f23b9f6f6c62cdb56e4e290f8d6c2b9f2622b76f0d5201b975e146a723b2ef64d1585499d7680323 CVE-2023-27561.patch
+f3cc9b93b0fe8a4341d410010fe584febb8e975ec9e0fd569d7dff33ab74c5821a2e0c40b7aeafd6b90991a50eae9c352342437f09cf6884dc850ceccdc68944 runc-1.1.5.tar.gz
" Note that the package version is bumped to Amending the conclusion:
|
I think the next step is to ensure the labels reflect the truth ("is the artifact vulnerable or not" and not biased towards a matching strategy) and if there is a corrective action on the labels needed we should make them before considering merging this feature. That being said, I'm still skeptical of relying on CPE-based matching as heavily as this proposal suggests and having that as the default matching strategy for alpine-based images. Even if this proposal is theoretically correct, practically correct is more important. That is if the theory states we must have accurate CPEs to match, but in practice accurate CPEs are difficult to obtain, then there is a problem. |
Summary
The alpine matcher needs to be updated to behave a little differently from the other distro specific matchers.
Secdb is a collection of records that denotes if a related CVE has been fixed, and the version the package was fixed in.
Basic Example:
In the above record, if:
advancecomp
is found,v3.18
distro,2.1-r2
,Then, given the package has matched the NVD record
CVE-2019-9210
, we can correctly remove that record from the final match results.Secdb informs which CVE should be turned off (not reported) given an exact version and distro match.
In the wild example showing the matching distinction
I’ve identified an example from previous security updates where how we use this data could matter as different feeds update:
https://nvd.nist.gov/vuln/detail/CVE-2023-27561#VulnChangeHistorySection
The above link shows the change history for CVE-2023-27561. It indicates how/when the nvd record updated.
NVD Timeline
The initial analysis for this was done on
3/10/2023 9:09:57 AM
:Constraint:
versions up to (including) 1.1.4
A second modified analysis was done on
04/05/2023
:Constraint:
versions up to and including 1.1.5
SecDB Timeline
Alpine iterated and issued a secfix twice for this dependency. These fixes happened between nvd updates:
3-25-23
https://git.alpinelinux.org/aports/commit/?id=aed110c1af5fa541884541180f34cb4a4bd32b14
3-29-2023
As well as a security upgrade to v1.1.5:
https://git.alpinelinux.org/aports/commit/community/runc/APKBUILD?h=v3.18.0&id=87362059d03b6abc02a72b6bb5d03231e6e574c7
Full commit history for that file for the alpine:3.18 branch
https://git.alpinelinux.org/aports/log/community/runc/APKBUILD?h=v3.18.0
Matching Summary
Given the above timeline - our alpine namespace for 3.18 would have two constraints that we intuited from secdb. One issued on 3-25, the other on 3-29.
Before
3-25-23
grype would use the NVD match as no secdb data has been issued. The constraint would beversions up to (including) 1.1.4
When the initial SecDB record comes out on
3-25-23
the constraint< 1.1.4-r0
from the alpine namespace is correct. The “fix” correctly indicates1.1.4-r0
which is logically> 1.1.4
The maintainers of secdb make no guarantee for future rc candidates here and defer to nvd for future matching.
On 3-29-2023 the constraint
< 1.1.4-r7
is less correct given that it can be inclusive ofrc-0
and report a false positive.On
04-05-23
, NVD eventually catches up and issuesversions up to and including 1.1.5
-In this case, grype should still be able to report that the sec fixes of r0 and r7 as being excluded from this new match, while potential instances of r1 - r6 have the vulnerability reported against them. This is helpful for users who are in the process of updating or evaluating where they stand against the current set of matches and SecFixes.
On 04-05-23 NVD becomes the superior constraint and the alpine namespace instead returns to its function as an exclusion feed of versions that may have been backdated from the new NVD constraint
Notes:
matcher.go
has been updated to secDBVulnerabilities are now consideredsecDBVulnFixes
Vulnerability
type, but the logic has been changed to focus on fixed versions rather than building a constraint. The original constraint logic is incorrect given that the secdb source only promotes singularly fixed versions and makes no guarantee to future/prior versions.vuln.Fix.Versions
from secDB is now the arbiter for if a given package should include its NVD match or notRemoved/Altered Tests:
TestSecDBOnlyMatch
<-- We no longer match against SecDBTo Be Determined