Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vex): add support for relationships/subcomponents #6077

Open
knqyf263 opened this issue Feb 7, 2024 · 4 comments
Open

feat(vex): add support for relationships/subcomponents #6077

knqyf263 opened this issue Feb 7, 2024 · 4 comments
Assignees
@knqyf263
Labels
scan/vulnerability Issues relating to vulnerability scanning
Milestone
v0.52.0

Comments

@knqyf263
Copy link
Collaborator

knqyf263 commented Feb 7, 2024

Description

Trivy currently doesn't consider relationships in VEX. It simply supports a list of products.

   "relationships": [
      {
        "product_reference": "runc-v1.1.12",
        "category": "default_component_of",
        "relates_to_product_reference": "trivy-0.49.0",
        "full_product_name": {
          "product_id": "trivy-0.49.0-runc",
          "name": "Trivy uses runc library"
        }
      }
    ]
  }

In the above example, Trivy should apply VEX to runc only used in Trivy.
@knqyf263 knqyf263 self-assigned this Feb 7, 2024
@knqyf263 knqyf263 added this to the v0.50.0 milestone Feb 7, 2024
@knqyf263 knqyf263 added the scan/vulnerability Issues relating to vulnerability scanning label Feb 7, 2024
@ferozsalam
Copy link

ferozsalam commented Feb 15, 2024
edited

👋 hey @knqyf263 - I just came across similar behaviour yesterday when looking at using Trivy to scan some images along with a VEX file.

I'm having a related issue - suppose I had a VEX statement like the following to represent an attestation made about the bash package in blah container:

    {
      "vulnerability": {
        "name": "CVE-2022-3715"
      },
      "products": [
        {
          "@id": "pkg:oci/blah",
          "subcomponents": [
            {
              "@id": "pkg:deb/ubuntu/bash@5.1-6ubuntu1"
            }
          ]
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    },

In Trivy, this doesn't work to match when scanning the blah container with the --vex flag - the product ID needs to be pkg:deb/ubuntu/bash@5.1-6ubuntu1 in order to make it work. But this means that there's no way of representing which container (which in my case is the product itself) is affected.

In Grype, the above statement would correctly match when scanning the blah container, and excludes only the result affecting the bash deb if the CVE affects multiple packages within the container.

To me, Grype's behaviour is more intuitive. I'd be keen to see Trivy and Grype support a consistent interpretation of VEX documents as well, to avoid having to publish multiple VEX documents, one for each scanner.

I'd be interested to know your thoughts on this, and happy to help contributing to any changes that are required. Should this be a separate issue, or does it fit in with the changes that you are proposing here?

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Feb 16, 2024
edited

Yes, it's in the scope of this issue, but it's broader support than the relationship between container image and packages. We'll correctly build the dependency graph and apply VEX to the graph.

@knqyf263 knqyf263 mentioned this issue Mar 13, 2024
Merged
6 tasks
@knqyf263
Copy link
Collaborator Author

@ferozsalam This task is yet incomplete, but your case is already supported in v0.50.0.

@ferozsalam
Copy link

@knqyf263 awesome, thank you!

@knqyf263 knqyf263 modified the milestones: v0.50.0, v0.51.0 Apr 1, 2024
@knqyf263 knqyf263 modified the milestones: v0.51.0, v0.52.0 Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@knqyf263 knqyf263

Labels
scan/vulnerability Issues relating to vulnerability scanning
Projects
Trivy Roadmap
Status: Roadmap
Milestone
v0.52.0
Development

No branches or pull requests
2 participants
@ferozsalam @knqyf263