Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optionally orient results by CVE #1020

Merged
merged 4 commits into from
Dec 8, 2022
Merged

Optionally orient results by CVE #1020

merged 4 commits into from
Dec 8, 2022

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Nov 29, 2022
edited
Loading

This PR introduces a new --by-cve option which will orient all results by CVE. For instance, if there is a GHSA that was directly matched on, then the results will instead show the equivalent CVE in the results in its place. If that CVE result was already being shown in the results, then the match details from the GHSA result will be appended to the existing result -- in this way there is always a record of how the CVE match was made (by GHSA).

Screen Shot 2022-11-29 at 1 07 10 PM

Additionally the JSON results are also re-oriented around CVEs. For example, before this PR a GHSA result would be shown similar to such:

❯ grype .... | jq '.matches[] | select(.vulnerability.id == "GHSA-3pgj-pg6c-r5p7")'
{
  "vulnerability": {
    "id": "GHSA-3pgj-pg6c-r5p7",
    "dataSource": "https://github.com/advisories/GHSA-3pgj-pg6c-r5p7",
    "namespace": "github:language:python",
    ...
  },
  "relatedVulnerabilities": [
    {
      "id": "CVE-2022-36087",
      "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-36087",
      "namespace": "nvd:cpe",
      "severity": "Medium",
      ...
    },
  ],
  "matchDetails": [
    {
      "type": "exact-direct-match",
      "matcher": "python-matcher",
      "searchedBy": {
        "language": "python",
        "namespace": "github:language:python"
      },
      "found": {
        "versionConstraint": ">=3.1.1,<3.2.1 (python)"
      }
    }
  ],
  "artifact": {
    ...
  },
}

After this change:

❯ grype --by-cve ... | jq '.matches[] | select(.vulnerability.id == "CVE-2022-36087")'
{
  "vulnerability": {
    "id": "CVE-2022-36087",
    "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-36087",
    "namespace": "nvd:cpe",
    ...
  },
  "relatedVulnerabilities": [
    {
      "id": "GHSA-3pgj-pg6c-r5p7",
      "dataSource": "https://github.com/advisories/GHSA-3pgj-pg6c-r5p7",
      "namespace": "github:language:python",
      ...
    },
  ],
  "matchDetails": [
    {
      "type": "exact-direct-match",
      "matcher": "python-matcher",
      "searchedBy": {
        "language": "python",
        "namespace": "github:language:python"
      },
      "found": {
        "versionConstraint": ">=3.1.1,<3.2.1 (python)",
        "vulnerabilityID": "GHSA-3pgj-pg6c-r5p7"
      }
    }
  ],
  "artifact": {
    ...
  },
}

The specific changes made:

  • adds a new --by-cve option
  • adds a new vulnerabilityID attribute under the match.Detail.Found map, since the vulnerability record shown may no longer match what was actually matched on during the search.
  • upgrades the top-level API with a new grype.VulnerabiliyMatcher object. This encapsulates much of the logic in cmd into something that is accessible in the API, allowing users to correctly apply ignore rules and evaluate severity thresholds without having to implement this themselves.
  • renames and reorganizes some of the top-level matching configurations to be more accurate.

Closes #204

@wagoodman wagoodman changed the title optionally orient results by CVE Optionally orient results by CVE Nov 29, 2022
@wagoodman wagoodman force-pushed the orient-by-cve branch 2 times, most recently from 97dcf9b to 27bd193 Compare November 29, 2022 19:15
@wagoodman wagoodman requested a review from a team November 29, 2022 19:15
@wagoodman wagoodman marked this pull request as ready for review November 29, 2022 19:15
@wagoodman
optionally orient results by CVE
c428d99 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman
fix integration tests
6ca32ae 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
kzantow
kzantow approved these changes Dec 2, 2022
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM -- only real question is naming of --by-cve and subsequently referring to this as normalize e.g. the NormalizeByCVE flag.

cmd/root.go
@@ -167,6 +169,11 @@ func setRootFlags(flags *pflag.FlagSet) {
"ignore matches for vulnerabilities that are fixed",
)

flags.BoolP(
"by-cve", "", false,
Copy link
Contributor

@kzantow kzantow Nov 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: by-cve to me, at least, is not the most clear... maybe something like --cve-first, --orient-by-cve, or --group-by-cve?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea I can see how a user could conflate it. I also agree none of the current options standout as a clear winner. I like that --by-cve does not show GHSA. That feels right. The inverse --by-ghsa would not show CVE.

I also ran it locally and it feels right for now, but might be biased since it was the first one I read.

I say ship, and if er end up hating it we can change up the ergonomics if it still feels bad.

Keith also had a good point of eventually making this the default.

@spiffcs
Copy link
Contributor

spiffcs commented Dec 8, 2022

Waiting for checks then will merge

@spiffcs
chore: fix merge conflicts
ab97ed5 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs merged commit a869480 into main Dec 8, 2022
@spiffcs spiffcs deleted the orient-by-cve branch December 8, 2022 20:22
spiffcs added a commit that referenced this pull request Dec 13, 2022
@spiffcs
Merge branch 'main' into upgrade-cyclonedx
dbee164 
* main:
  chore: add GitLab Community Edition image to quality gate (#1035)
  Update Syft to v0.63.0 (#1037)
  fix: Exclude binary packages that have overlap by file ownership relationship (#1024)
  docs: update quality gate docs (#1032)
  Optionally orient results by CVE (#1020)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@anandgia
Copy link

anandgia commented Feb 9, 2023

@wagoodman thanks for this feature, I tried to run this on an elasticsearch image and don't see CVE IDs where CVE IDs look available.

See output below and example:
GHSA-f3j5-rmmp-3fc5
https://nvd.nist.gov/vuln/detail/CVE-2019-17267

$ grype docker.elastic.co/elasticsearch/elasticsearch:6.8.23 --by-cve | grep GHSA
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [339 packages]
 ✔ Scanned image           [850 vulnerabilities]
guava                        16.0.1                                             java-archive  GHSA-5mg8-w23w-74h3  Low
guava                        16.0.1                   24.1.1                    java-archive  GHSA-mvr2-9pj6-7w5j  Medium
guava                        19.0                                               java-archive  GHSA-5mg8-w23w-74h3  Low
guava                        19.0                     24.1.1                    java-archive  GHSA-mvr2-9pj6-7w5j  Medium
httpclient                   4.5.2                    4.5.13                    java-archive  GHSA-7r82-7xv7-xcpj  Medium
jackson-databind             2.8.11.6                 2.12.6.1                  java-archive  GHSA-57j2-w4cx-62h2  High
jackson-databind             2.8.11.6                 2.12.7.1                  java-archive  GHSA-jjjh-jjxp-wpff  High
jackson-databind             2.8.11.6                 2.12.7.1                  java-archive  GHSA-rgv9-q543-rqg4  High
jackson-databind             2.8.11.6                 2.9.10                    java-archive  GHSA-85cw-hj65-qqv9  Critical
jackson-databind             2.8.11.6                 2.9.10                    java-archive  GHSA-f3j5-rmmp-3fc5  Critical
jackson-databind             2.8.11.6                 2.9.10                    java-archive  GHSA-h822-r4r5-v8jg  Critical
jackson-databind             2.8.11.6                 2.9.10.1                  java-archive  GHSA-fmmc-742q-jg75  Critical
jackson-databind             2.8.11.6                 2.9.10.1                  java-archive  GHSA-gjmw-vf9h-g25v  Critical
jackson-databind             2.8.11.6                 2.9.10.1                  java-archive  GHSA-mx7p-6679-8g3q  Critical
jackson-databind             2.8.11.6                 2.9.10.4                  java-archive  GHSA-fqwf-pjwf-7vqv  Medium
jackson-databind             2.8.11.6                 2.9.10.4                  java-archive  GHSA-p43x-xfjf-5jhr  Critical
jackson-databind             2.8.11.6                 2.9.10.4                  java-archive  GHSA-q93h-jc49-78gg  Critical
jackson-databind             2.8.11.6                 2.9.10.4                  java-archive  GHSA-rpr3-cw39-3pxh  High
jackson-databind             2.8.11.6                 2.9.10.6                  java-archive  GHSA-h3cw-g4mq-c5x2  High
jackson-databind             2.8.11.6                 2.9.10.6                  java-archive  GHSA-qjw2-hr98-qgfh  High
jackson-databind             2.8.11.6                 2.9.10.7                  java-archive  GHSA-288c-cq4h-88gq  High
jackson-databind             2.8.11.6                 2.9.10.7                  java-archive  GHSA-5949-rw7g-wx7w  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-89qr-369f-5m5x  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-8c4j-34r4-xr8g  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-8w26-6f25-cm9x  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-9gph-22xh-8x98  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-9m6f-7xcq-8vf8  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-cvm9-fjm9-3572  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-f9xh-2qgp-cq57  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-m6x4-97wx-4q27  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-r3gr-cxrf-hg25  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-r695-7vr9-jgc2  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-v585-23hc-c647  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-vfqx-33qm-g869  High
jackson-databind             2.8.11.6                 2.9.10.8                  java-archive  GHSA-wh8g-3j2c-rqj5  High
jackson-databind             2.8.11.6                 2.9.9.2                   java-archive  GHSA-6fpp-rgj9-8rwc  Critical
netty-codec                  4.1.32.Final             4.1.68.Final              java-archive  GHSA-9vjp-v76f-g363  High
netty-codec                  4.1.32.Final             4.1.68.Final              java-archive  GHSA-grg4-wf29-r9vv  High
netty-codec-http             4.1.32.Final             4.1.59.Final              java-archive  GHSA-5mcr-gq6c-3hq2  Medium
netty-codec-http             4.1.32.Final             4.1.71.Final              java-archive  GHSA-wx5j-54mm-rqqq  Medium
netty-codec-http             4.1.32.Final             4.1.77.Final              java-archive  GHSA-269q-hmxg-m83q  Medium
netty-handler                4.1.32.Final             4.1.44                    java-archive  GHSA-cqqj-4p63-rrmm  Critical
netty-handler                4.1.32.Final             4.1.45                    java-archive  GHSA-p2v9-g2qv-p635  Medium
netty-handler                4.1.32.Final             4.1.46                    java-archive  GHSA-mm9x-g8pc-w292  High
snakeyaml                    1.17                     1.26                      java-archive  GHSA-rvwf-54qp-4r6v  High
xmlsec                       2.0.8                    2.1.4                     java-archive  GHSA-4q98-wr72-h35w  Medium
xmlsec                       2.0.8                    2.1.7                     java-archive  GHSA-j8wc-gxx9-82hx  High

@kzantow
Copy link
Contributor

kzantow commented Feb 9, 2023

@anandgia is there a specific image to use to reproduce this?

@anandgia
Copy link

anandgia commented Feb 9, 2023

Yes @kzantow i put the image in the above description

docker.elastic.co/elasticsearch/elasticsearch:6.8.23

@ghost
Copy link

ghost commented Mar 16, 2023

I confirm the observation by @anandgia (and additionally notice --by-cve slows down the scan) with version 0.59.1.

./grype version
Application:          grype
Version:              0.59.1
Syft Version:         v0.74.1
BuildDate:            2023-03-09T14:57:12Z
GitCommit:            29b646568901d1ef48a528cf35f67f3cead49c9f
GitDescription:       v0.59.1
Platform:             linux/amd64
GoVersion:            go1.19.6
Compiler:             gc
Supported DB Schema:  5

Is there anything I can do to help debug this? Perhaps opening a dedicated issue for issues around --by-cve?

@kzantow
Copy link
Contributor

kzantow commented Mar 16, 2023

@JipSogeti I created a new issue for the performance concern: #1185

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs left review comments

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

reporting the relevant CVE number when GHSA is reported
4 participants
@wagoodman @spiffcs @anandgia @kzantow