A tool to analyse the list of detected CVEs in the containers (usually created by security scanner like JFrog, Aqua, Sysdig or similar) and compare them to the Red Hat Security Data. The cve-analyser can find fixes in the rpm packages bundled in the specified container, as well as the fixes in the non-rpm content (like nodejs libraries).
To use this tool just run:
cve-analyser PATH_TO_THE_.csv_FILE
like:
cve-analyser samples/mix.csv
As an output you will get details about the specified in the .cvs file CVE and container image or package (see more details about cve file format in the next section) impact. There will be information about the Red Hat CVE Severity and fix status for the specific image/package. For one CVE there may appear more than one results what depends on the product support model or list of the affected packages included in the container image. See examples below to better understand the cve-analyser coverage and possible results.
- CVE
- Red Hat container image information or Package name
Like:
CVE-2021-33503,ubi8/ubi:8.4-211
The Red Hat container image name must be provided in format visible also in the Red Hat Container Catalog page (https://catalog.redhat.com/software/containers/search?p=1) where first is specified the repository name, then after the "/" is the container name and after ":" is the image version.
or
CVE-2021-23337,kibana
In the second example as a second parameter is provided a package name. The cve-analyser will search for any results for a specified name (the package name will be used as a keyword for searching), it means that if there is a container with a name similar to the specified name, such container will be also displayed in the findings output. For such item in the .csv file the cve-analyser will show all Red Hat products where component/package name contain a specified word in the CVE affected products list.
The output generated by the cve-analyser tool is also in the .csv format.
The first two fields are records from the input file, i.e. CVE id and the container or package name.
Next field is the Red Hat CVE Severity rating.
In the last field there are shown gathered information about the specific CVE and container/package. Data in this field are grouped in the brackets to show all possible available fixed for the specific component and product (depending on the product support model). In this field there might appear information about product version, per-product severity, fix status and details about the fixed component version.
For example, if in the input will contains lines like below:
CVE-2021-23337,openshift4/ose-logging-kibana6:v4.6.0-202109071652.p0.git.d578b18.assembly.stream
CVE-2021-23337,kibana
The output from the cve-analyser for each line will be:
CVE-2021-23337,kibana,CVE Severity:Moderate,(Red Hat OpenShift Container Platform 3.11|Product impact:moderate|Will not fix|kibana)(Red Hat OpenShift Container Platform 4|Product impact:moderate|Will not fix|kibana)(Red Hat OpenShift Container Platform 4|Product impact:moderate|Will not fix|openshift4/ose-logging-kibana6)
CVE-2021-23337,openshift4/ose-logging-kibana6:v4.6.0-202109071652.p0.git.d578b18.assembly.stream,CVE Severity:Moderate,(Red Hat OpenShift Container Platform 4|Product impact:moderate|Will not fix|openshift4/ose-logging-kibana6)
The image openshift4/ose-logging-kibana6 is displayed twice.
First record shows fuzzy-searching results for kibana keyword, when the second record is an exact finding for the specific provided container openshift4/ose-logging-kibana6:v4.6.0-202109071652.p0.git.d578b18.assembly.stream.
Using a keyword as the search value is useful when you don't know exactly if the reported vulnerable package is a package in the container or maybe it's a non-rpm content. It might be useful if you want to find any products (container images or packages) with a specific name as a affected component.
To show more accurate results it is recommended to use first notation, with the exact container name as a component.
When the exact container name is used as the potentially affected (detected by the security scanner) component, the cve-analyser tool will try to find all information for the specified container.
If the vulnerability is related to the non-rpm content (content in the container image what is not correlated with any installed packages), the tool will use container name to find necessary information: fix state and information about the fixed container version. For example the CVE-2021-3114 is related to the Golang standard library vulnerability. If you specify item in the .csv file like below:
CVE-2021-3114,openshift4/ose-thanos-rhel8:v4.8.0-202111041632.p0.git.f7c1227.assembly.stream
The cve-analyser will show that this specific vulnerability (related to the non-rpm content in the openshift4/ose-thanos-rhel8) has been fixed in OpenShift 4.7 release in the openshift4/ose-thanos-rhel8:v4.7.0-202103202139.p0 container.
Output is as follows:
CVE-2021-3114,openshift4/ose-thanos-rhel8:v4.8.0-202111041632.p0.git.f7c1227.assembly.stream,CVE Severity:Moderate,(Red Hat OpenShift Container Platform 4.7|Product impact:moderate|RHSA-2021:0957|openshift4/ose-thanos-rhel8:v4.7.0-202103202139.p0)
If the vulnerability is related to the specific rpm package which is bundled in the container image, the cve-analyser tool will corelate the information about available fixes for the particular CVE with the list of bundled in the container packages and show information about available fixes for these packages. For example, CVE-2019-20916 is related to the Python vulnerability (more details at https://access.redhat.com/security/cve/CVE-2019-20916). If you specify item in the .csv file like below:
CVE-2019-20916,jboss-webserver-5/webserver55-openjdk11-tomcat9-openshift-rhel8:1.0-6.1634740122
In the output you will see:
CVE-2019-20916,jboss-webserver-5/webserver55-openjdk11-tomcat9-openshift-rhel8:1.0-6.1634740122,CVE Severity:Moderate,(Red Hat Enterprise Linux 8|Product impact:moderate|RHSA-2020:4432|python-pip-0:9.0.3-18.el8)
Where is information about the fixed package what is bundled in the jboss-webserver-5/webserver55-openjdk11-tomcat9-openshift-rhel8 container.
See more examples in the /samples directory.