Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: enable parsing of UUID-only rekor entry ID #2887

Merged
merged 4 commits into from Sep 16, 2022

Conversation

otms61
Copy link
Collaborator

@otms61 otms61 commented Sep 16, 2022

Description

Enable parsing of UUID-only rekor entry ID.

before

$ ./trivy image --debug --sbom-sources rekor knqyf263/cosign-test
2022-09-16T09:06:37.776+0900	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-16T09:06:37.834+0900	DEBUG	cache dir:  /Users/saso/Library/Caches/trivy
2022-09-16T09:06:37.835+0900	INFO	Need to update DB
2022-09-16T09:06:37.835+0900	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-16T09:06:37.835+0900	INFO	Downloading DB...
33.96 MiB / 33.96 MiB [------------------------------------------------------] 100.00% 16.52 MiB p/s 2.3s
2022-09-16T09:06:41.320+0900	DEBUG	Updating database metadata...
2022-09-16T09:06:41.320+0900	DEBUG	DB Schema: 2, UpdatedAt: 2022-09-15 18:06:32.95490136 +0000 UTC, NextUpdate: 2022-09-16 00:06:32.95490096 +0000 UTC, DownloadedAt: 2022-09-16 00:06:41.320199 +0000 UTC
2022-09-16T09:06:41.320+0900	INFO	Vulnerability scanning is enabled
2022-09-16T09:06:41.320+0900	DEBUG	Vulnerability type:  [os library]
2022-09-16T09:06:41.320+0900	INFO	Secret scanning is enabled
2022-09-16T09:06:41.320+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-16T09:06:41.320+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T09:06:43.256+0900	DEBUG	No secret config detected: trivy-secret.yaml
2022-09-16T09:06:43.511+0900	DEBUG	Image ID: sha256:0ac33e5f5afa79e084075e8698a22d574816eea8d7b7d480586835657c3e1c8b
2022-09-16T09:06:43.512+0900	DEBUG	Diff IDs: [sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628]
2022-09-16T09:06:43.512+0900	DEBUG	Search for sha256:a777c9c66ba177ccfea23f2a216ff6721e78a662cd17019488c417135299cd89 in Rekor
2022-09-16T09:06:44.059+0900	FATAL	image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/commands/artifact/run.go:369
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/commands/artifact/run.go:229
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/commands/artifact/run.go:543
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/scanner/scan.go:127
  - remote SBOM fetching error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.Inspect
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/fanal/artifact/image/image.go:100
  - Rekor attestation searching error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.retrieveRemoteSBOM
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/fanal/artifact/image/remote_sbom.go:32
  - failed to search rekor records:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectSBOMAttestation
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/fanal/artifact/image/remote_sbom.go:55
  - invalid entry UUID:
    github.com/aquasecurity/trivy/pkg/rekor.(*Client).Search
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/rekor/client.go:74
  - invalid Entry ID length:
    github.com/aquasecurity/trivy/pkg/rekor.NewEntryID
        /Users/saso/.ghq/github.com/otms61/trivy/pkg/rekor/client.go:34

After

$ ./trivy image --debug --sbom-sources rekor knqyf263/cosign-test
2022-09-16T09:34:35.774+0900	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-16T09:34:35.824+0900	DEBUG	cache dir:  /Users/saso/Library/Caches/trivy
2022-09-16T09:34:35.825+0900	DEBUG	DB update was skipped because the local DB was downloaded during the last hour
2022-09-16T09:34:35.825+0900	DEBUG	DB Schema: 2, UpdatedAt: 2022-09-15 18:06:32.95490136 +0000 UTC, NextUpdate: 2022-09-16 00:06:32.95490096 +0000 UTC, DownloadedAt: 2022-09-16 00:06:41.320199 +0000 UTC
2022-09-16T09:34:35.826+0900	INFO	Vulnerability scanning is enabled
2022-09-16T09:34:35.827+0900	DEBUG	Vulnerability type:  [os library]
2022-09-16T09:34:35.827+0900	INFO	Secret scanning is enabled
2022-09-16T09:34:35.827+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-16T09:34:35.827+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T09:34:37.886+0900	DEBUG	No secret config detected: trivy-secret.yaml
2022-09-16T09:34:38.244+0900	DEBUG	Image ID: sha256:0ac33e5f5afa79e084075e8698a22d574816eea8d7b7d480586835657c3e1c8b
2022-09-16T09:34:38.244+0900	DEBUG	Diff IDs: [sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628]
2022-09-16T09:34:38.244+0900	DEBUG	Search for sha256:a777c9c66ba177ccfea23f2a216ff6721e78a662cd17019488c417135299cd89 in Rekor
2022-09-16T09:34:38.767+0900	DEBUG	Found matching Rekor entries: [362f8ecba72f4326345ca077f07ac84e8e4c682ea9ccd1d51c31f1ddbeaed8fe6d2f8f991255688c 362f8ecba72f432687c478057baac53e00e25fcf4b51c17ba414d8d2eb1c4f074e2a5158394a1316 362f8ecba72f4326b3362dc3dc2713cb2acc6f1f2c7675d197d952be981b71f8e08a7859e6e0eaf8 e90147f02fbfca9314bfa996a01838a023e4600fac7fdabc4d29a5a50a007081 bcfc7effdc8907b9c018404308acd759f83d830532aeccca2346e13d4471b2af a28da22df961a8de093a36f677b66c99866b1835a26cae83abb248a8e94fd174 0ee6e81c6d814f3452a7117b8c53300fc7fd7ea29f016332e6c1cf74c1b7dc93 45722c65836c960294e51d573bc6ab7cc95a95c9a23ffbc47d8960012f6d73c3 8af75128a177eed22b0e8871fe6d7965c06867c10d8e928bc5040ff7e8f94b6d 11fb59c3ebe245dca583dd63c22f54760fadfb72453e2ca95cdf849232b9e310]
2022-09-16T09:34:38.767+0900	DEBUG	Inspecting Rekor entry: 362f8ecba72f4326345ca077f07ac84e8e4c682ea9ccd1d51c31f1ddbeaed8fe6d2f8f991255688c
2022-09-16T09:34:39.348+0900	DEBUG	Base Layers: []
2022-09-16T09:34:39.349+0900	DEBUG	Missing image ID in cache: sha256:0ac33e5f5afa79e084075e8698a22d574816eea8d7b7d480586835657c3e1c8b
2022-09-16T09:34:39.349+0900	DEBUG	Missing diff ID in cache: sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628
2022-09-16T09:34:39.882+0900	INFO	Detected OS: alpine
2022-09-16T09:34:39.882+0900	INFO	Detecting Alpine vulnerabilities...
2022-09-16T09:34:39.882+0900	DEBUG	alpine: os version: 3.15
2022-09-16T09:34:39.882+0900	DEBUG	alpine: package repository: 3.15
2022-09-16T09:34:39.882+0900	DEBUG	alpine: the number of packages: 14
2022-09-16T09:34:39.891+0900	INFO	Number of language-specific files: 0

knqyf263/cosign-test (alpine 3.15.4)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)

┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097  │ MEDIUM   │ 1.1.1n-r0         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes              │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                 │
├──────────────┤                │          │                   │               │                                                           │
│ libssl1.1    │                │          │                   │               │                                                           │
│              │                │          │                   │               │                                                           │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r0         │ 1.2.12-r2     │ zlib: a heap-based buffer over-read or buffer overflow in │
│              │                │          │                   │               │ inflate in inflate.c...                                   │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 merged commit ba29ce6 into aquasecurity:main Sep 16, 2022
@otms61 otms61 deleted the fix_rekor_uuid_parser branch September 16, 2022 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants