-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Provider Vulnerability Scanning (#90)
* add provider and provider version to opa call * added provider vulnerability detection * documentation * add latest ghes vulnerability * proper dates * renamed both vuln rules for better clarity * renamed build platform * to support older versions of gitlab if we get a 404 for the metadata api we use the deprecated version endpoint
- Loading branch information
1 parent
36d3c7f
commit 7401277
Showing
9 changed files
with
139 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
docs/content/en/rules/known_vulnerability_in_build_platform.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
--- | ||
title: "Build Platform with a Known Vulnerability used" | ||
slug: known_vulnerability_in_build_platform | ||
url: /rules/known_vulnerability_in_build_platform/ | ||
rule: known_vulnerability_in_build_platform | ||
severity: warning | ||
--- | ||
|
||
## Description | ||
|
||
A Build/SCM Provider was found to be vulnerable to a publicly known security vulnerability from the [Open Source Vulnerability Database (OSV)](https://osv.dev/) | ||
|
||
## Remediation | ||
|
||
Upgrade the self-hosted provider to a non-vulnerable version. | ||
|
||
## See Also | ||
- [Upgrade Gitlab](https://docs.gitlab.com/ee/update/) | ||
- [Upgrade Github Enterprise Server](https://docs.github.com/en/enterprise-server@3.13/admin/overview/about-upgrades-to-new-releases) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
package external.build_platform | ||
|
||
advisories = { | ||
"gitlab": {"CVE-2024-2651": { | ||
"osv_id": "CVE-2024-2651", | ||
"published": "2024-05-14T00:00:00Z", | ||
"aliases": [], | ||
"summary": "It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.", | ||
"severity": [{ | ||
"type": "CVSS_V3", | ||
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", | ||
}], | ||
"cwe_ids": ["CWE-400"], | ||
"vulnerable_versions": [], | ||
"vulnerable_version_ranges": [">=0,<16.9.7"], | ||
"vulnerable_commit_shas": [], | ||
}}, | ||
"github": {"CVE-2024-4985": { | ||
"osv_id": "CVE-2024-4985", | ||
"published": "2024-05-20T00:00:00Z", | ||
"aliases": [], | ||
"summary": "It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.", | ||
"severity": [{ | ||
"type": "CVSS_V4", | ||
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:U/V:C/RE:M/U:Red", | ||
}], | ||
"cwe_ids": ["CWE-303"], | ||
"vulnerable_versions": [], | ||
"vulnerable_version_ranges": ["<3.9.15","<3.10.12","<3.11.10","<3.12.4"], | ||
"vulnerable_commit_shas": [], | ||
}}, | ||
} |
4 changes: 2 additions & 2 deletions
4
opa/rego/rules/known_vulnerability.rego → ...own_vulnerability_in_build_component.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# METADATA | ||
# title: Build Platform with a Known Vulnerability used | ||
# description: |- | ||
# The build or SCM provider used has a known vulnerability. | ||
# related_resources: | ||
# - ref: https://osv.dev/ | ||
# description: Source Advisory Database | ||
# custom: | ||
# level: warning | ||
package rules.known_vulnerability_in_build_platform | ||
|
||
import data.external.build_platform.advisories | ||
import data.poutine | ||
import rego.v1 | ||
|
||
rule := poutine.rule(rego.metadata.chain()) | ||
|
||
provider_advisory(provider, provider_version) = advisory if { | ||
version := provider_version | ||
advisory := advisories[provider][osv_id] | ||
|
||
regex.match("^[0-9]+(\\.[0-9]+)*?$", version) | ||
|
||
semver.constraint_check(advisory.vulnerable_version_ranges[_], version) | ||
} | ||
|
||
results contains poutine.finding(rule, input.provider, { | ||
"osv_id": advisory.osv_id, | ||
"details": sprintf("Provider: %s", [input.provider]), | ||
}) if { | ||
advisory := provider_advisory(input.provider, input.version) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters