scout-cli
scout-cli copied to clipboard
docker
Consider option or ignore-file allowing to ignore a list of CVEs
Hi,
It would make sense for some of my use cases to be able to ignore some CVEs. For example a vulnerable library may be present in the image but is unused in the application.
Trivy for example provides a way to ignore CVE by IDs via an ignore file: https://aquasecurity.github.io/trivy/dev/docs/configuration/filtering/#by-finding-ids
Can I suggest: --ignore-ids / --filter-ids / --filter-ids ... ? Although a file is good as I can write comments to justify the reason to ignore them.
Currently, I've had to create a wee python script that reads a YAML file where I can add which image should ignore what CVEs; I then read the JSON output of Scout to report on the result.
Thanks for providing Docker Scout!
The Scout CLI ships with support for VEX. See https://www.docker.com/blog/filter-out-security-vulnerability-false-positives-with-vex/ for how to use this locally. Once you have a VEX JSON file or files, you can pass them into the docker scout cve --vex-location option. Could you give this a try and see if this fits your workflow?
Support VEX/suppression on the platform is currently under development.
Oh thanks, I remember skipping this section as I saw it required a Docker account and containerd. So I assumed this was something I couldn't run locally.
Am I right to understand I should be able to use VEX to suppress vulnerabilities reporting of a _ local _ image? The workflow I am interested in is: Scan images from a Linux machine of images from an Azure Container Registry (non premium); expecting to be able to scan any local images too.
I have failed to be able to use this suppression when trying both with the tutorial and with a local image.
Support VEX/suppression on the platform is currently under development.
Are my issues kind of expected if things are still in beta-ish, and I should just wait?
More details
- Scout version: version: v1.7.0 (go1.22.1 - linux/amd64), git commit: 820564fcbe0e948fe1b0d6f84cc8875437171ffb
- OS: Arch Linux
- My
/etc/docker/daemon.json:
{
"experimental": true,
"debug": false,
"features": {
"buildkit": true,
"containerd-snapshotter": true
}
}
My two attempts
- Followed the instructions from https://docs.docker.com/scout/guides/vex/ to the T. I used
mdupaulrias ORG: https://hub.docker.com/r/mdupaulri/scout-demo-service (the image doesn't appear pushed as of writing, yet it is present on my Docker Scout dashboard) Output ofdocker scout cves --only-cve-id CVE-2022-24999 --vex-location .in the collapsed panel
Click to expand! Content of CVE-2022-24999.vex.json
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-766b244a12d8cea5a4f2a19cdc1c0511710d29ac11ab7a7ccaea09ea3cde3255",
"author": "[email protected]",
"timestamp": "2024-04-16T19:12:35.965284085+01:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2022-24999"
},
"timestamp": "2024-04-16T19:12:35.96528476+01:00",
"products": [
{
"@id": "pkg:docker/mdupaulri/scout-demo-service@v1",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
},
{
"@id": "pkg:npm/[email protected]"
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
}
]
}
Click to expand! Scout CLI output
## Overview
│ Analyzed Image
────────────────────┼───────────────────────────────────────────────
Target │
digest │ ccefb2ffc4eb
platform │ linux/amd64
provenance │ https://github.com/docker/scout-demo-service
│ https://github.com/docker/scout-demo-service/blob/0de180be8a6e8deb3b63cd52b0811b3a23d91c31
vulnerabilities │ 0C 2H 0M 0L
size │ 19 MB
packages │ 72
│
Base image │ alpine:3.14
│ be9bdc0ef8e9
## Packages and Vulnerabilities
0C 1H 0M 0L express 4.17.1
pkg:npm/[email protected]
https://github.com/docker/scout-demo-service/blob/0de180be8a6e8deb3b63cd52b0811b3a23d91c31/Dockerfile#L14-L17
RUN apk add --no-cache npm \
&& npm i --no-optional \
&& npm cache clean --force \
&& apk del npm
✗ HIGH CVE-2022-24999 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2022-24999?s=gitlab&n=express&t=npm&vr=%3C4.17.3
Affected range : <4.17.3
Fixed version : 4.17.3
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 1H 0M 0L qs 6.7.0
pkg:npm/[email protected]
https://github.com/docker/scout-demo-service/blob/0de180be8a6e8deb3b63cd52b0811b3a23d91c31/Dockerfile#L14-L17
RUN apk add --no-cache npm \
&& npm i --no-optional \
&& npm cache clean --force \
&& apk del npm
✗ HIGH CVE-2022-24999 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
https://scout.docker.com/v/CVE-2022-24999?s=github&n=qs&t=npm&vr=%3E%3D6.7.0%2C%3C6.7.3
Affected range : >=6.7.0
: <6.7.3
Fixed version : 6.7.3
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2 vulnerabilities found in 2 packages
LOW 0
MEDIUM 0
HIGH 2
CRITICAL 0
What's Next?
View base image update recommendations → docker scout recommendations mdupaulri/scout-demo-service@sha256:ccefb2ffc4eb4369735bc0af04abe6ace855db552bff99fc6e937ab0037f0225
- Building a local image. I tried the same idea with the
pythonbase image. Basically ran the following:
docker pull python
vexctl create \
--product "pkg:docker/python" \
--vuln CVE-2018-20225 \
--subcomponents 'pkg:pypi/[email protected]' \
--status not_affected \
--justification vulnerable_code_not_in_execute_path \
--file CVE-2018-20225.vex.json
docker scout cves --vex-location . --only-cve-id CVE-2018-20225 python
Click to expand! Scout CLI output
## Overview
│ Analyzed Image
────────────────────┼──────────────────────────────
Target │ python:latest
digest │ e0e2713ebf0f
platform │ linux/amd64
vulnerabilities │ 0C 1H 0M 0L
size │ 381 MB
packages │ 573
## Packages and Vulnerabilities
0C 1H 0M 0L pip 24.0
pkg:pypi/[email protected]
✗ HIGH CVE-2018-20225 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2018-20225?s=gitlab&n=pip&t=pypi&vr=%3E%3D0
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.8
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
VEX : not affected [vulnerable code not in execute path]
: Unknown Author
1 vulnerability found in 1 package
LOW 0
MEDIUM 0
HIGH 1
CRITICAL 0
What's Next?
View base image update recommendations → docker scout recommendations python:latest
Is this an expected workflow?
Thanks for the detailed response, @paul-ri.
Am I right to understand I should be able to use VEX to suppress vulnerabilities reporting of a _ local _ image? The workflow I am interested in is: Scan images from a Linux machine of images from an Azure Container Registry (non premium); expecting to be able to scan any local images too.
Yes, this is expected to work locally without any paid account or subscription.
Support VEX/suppression on the platform is currently under development. Are my issues kind of expected if things are still in beta-ish, and I should just wait?
No, the VEX support in the CLI should work.
Let's take a look at your two cases:
1
I think the issue here (which if true is a bug) is that the command doesn't specify an image ref and I can see how this would make the VEX matching fail. To confirm, could you try with docker scout cves --only-cve-id CVE-2022-24999 --vex-location . mdupaulri/scout-demo-service:v1 as command?
2
This did actually work as indicated by the VEX section in the following output:
✗ HIGH CVE-2018-20225 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2018-20225?s=gitlab&n=pip&t=pypi&vr=%3E%3D0
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.8
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
VEX : not affected [vulnerable code not in execute path]
: Unknown Author
If you want to filter out not_affected CVEs, supply the --only-vex-affected command line option to the cves command. Using that, those CVEs should be gone from the result.
Let me know if that helps. And again, many thanks for raising those issues here.
That's helpful.
This did actually work as indicated
That is so true I am sorry. I ran these commands so many times failing at first as I tried the tool, that I eventually just learned to look at the final summary lines. Adding --only-vex-affected would have helped to see this.
Yet, the fact I missed it might be related to the following odd behaviour:
To confirm, could you try with docker scout cves --only-cve-id CVE-2022-24999 --vex-location . mdupaulri/scout-demo-service:v1 as command?
I do see the VEX line being added to the report when running the command. But _ only _ if this if the first command being ran after building. If I run docker scout without the image specified, it fails. And if I run it again _ with _ the image name specified, it fails!
Here's a recording. Commands ran are:
docker build --provenance=true --sbom=true --tag mdupaulri/scout-demo-service:v1 --push .
# No CVE found
docker scout cves --only-cve-id CVE-2022-24999 --vex-location . --only-vex-affected mdupaulri/scout-demo-service:v1
# CVEs found for all subsequent commands
docker scout cves --only-cve-id CVE-2022-24999 --vex-location . --only-vex-affected
docker scout cves --only-cve-id CVE-2022-24999 --vex-location . --only-vex-affected mdupaulri/scout-demo-service:v1
docker scout cves --only-cve-id CVE-2022-24999 --vex-location . --only-vex-affected mdupaulri/scout-demo-service:v1
docker scout cves --only-cve-id CVE-2022-24999 --vex-location . --only-vex-affected
docker scout cves --only-cve-id CVE-2022-24999 --vex-location . --only-vex-affected mdupaulri/scout-demo-service:v1
https://github.com/docker/scout-cli/assets/54000402/4c198fac-c829-41a2-8b14-aecad2f2a051
If you want me to run anything else, happy to try. I can't event think of what to try here to debug this, I don't see a verbose option.
I will try with my own images again tomorrow
I've been working with scout and vex files the last few days and I can't quite understand why it works sometimes ...
On two separate builds of a docker image, the scout cli will either recognise the vex file, or it will not.
Attempt 1
$ docker scout cves --vex-location ./vex local://tyler/plt-mock-hl7-server:tyler-1
✓ SBOM of image already cached, 375 packages indexed
✓ Loaded 2 VEX documents
✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼──────────────────────────────────────────────
Target │ local://tyler/plt-mock-hl7-server:tyler-1
digest │ b458635ac081
platform │ linux/amd64
vulnerabilities │ 0C 0H 1M 0L 1?
size │ 65 MB
packages │ 375
## Packages and Vulnerabilities
0C 0H 1M 0L semver 5.7.1
pkg:npm/[email protected]
✗ MEDIUM CVE-2022-25883 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2022-25883
Affected range : <5.7.2
Fixed version : 5.7.2
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
VEX : not affected [vulnerable code not present]
: [email protected]
0C 0H 0M 0L 1? openssl 3.1.4-r5
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19
✗ UNSPECIFIED CVE-2024-2511
https://scout.docker.com/v/CVE-2024-2511
Affected range : <3.1.4-r6
Fixed version : 3.1.4-r6
VEX : not affected [This is a mock server and not expected to be used for production workloads. If Denial of Service is met, there is low risk to the application]
: [email protected]
2 vulnerabilities found in 2 packages
UNSPECIFIED 1
LOW 0
MEDIUM 1
HIGH 0
CRITICAL 0
The vex files are loaded and used in the analysis to mark the vulnerabilities as not_affected
Attempt 2
$ docker scout cves --vex-location ./vex local://<AZURE_ACR>.azurecr.io/tyler/plt-mock-hl7-server:vex-1
✓ SBOM of image already cached, 375 packages indexed
✓ Loaded 2 VEX documents
✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼─────────────────────────────────────────────────────────────────────
Target │ local://<AZURE_ACR>.azurecr.io/tyler/plt-mock-hl7-server:vex-1
digest │ 3ec042bddb65
platform │ linux/amd64
vulnerabilities │ 0C 0H 1M 0L 1?
size │ 65 MB
packages │ 375
## Packages and Vulnerabilities
0C 0H 1M 0L semver 5.7.1
pkg:npm/[email protected]
✗ MEDIUM CVE-2022-25883 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2022-25883
Affected range : <5.7.2
Fixed version : 5.7.2
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0C 0H 0M 0L 1? openssl 3.1.4-r5
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19
✗ UNSPECIFIED CVE-2024-2511
https://scout.docker.com/v/CVE-2024-2511
Affected range : <3.1.4-r6
Fixed version : 3.1.4-r6
2 vulnerabilities found in 2 packages
UNSPECIFIED 1
LOW 0
MEDIUM 1
HIGH 0
CRITICAL 0
Here, the vex files is loaded into the analysis, but the vulnerabilities still show as affected
@TylerHaigh, thanks for experimenting with this. The current version of the CLI enforces the product/@id to be the name of the image that you are running the CLI against. Given the VEX statements are successfully applied against tyler/plt-mock-hl7-server I assume that's probably the product/@id using the statements? Is that correct? If so, try adding another product entry for <AZURE_ACR>.azurecr.io/tyler/plt-mock-hl7-server.
This could also be caused by us creating invalid PURLs for non Docker Hub registry images. Could you share your VEX file here?
Thanks @cdupuis I'll have a look into the product/@id. Does that mean the pkg:npm/[email protected] package (see below) should be a sub-component?
CVE-2022-25883.vex.json File below
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-87eecb66df96f25f6ed58d1a9904dd737dfaa6c8594ff384d95eed60a5b7e7c9",
"author": "[email protected]",
"timestamp": "2024-04-30T16:13:24.1687828+10:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2022-25883"
},
"timestamp": "2024-04-30T16:13:24.1687828+10:00",
"products": [
{
"@id": "pkg:npm/[email protected]",
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present"
}
]
}
Thanks, this indicates that there's something wrong with us internally using PURLs for images coming from non-Docker Hub registries. I'll see if I can reproduce this.
I can't replicate my own commands mentioned in my last message. The vulnerabilities are properly ignored now in every case.
I'm still on docker-scout 1.7.0. So not much has changed except a bunch of reboot and updates of the OS (today's docker version: Docker version 26.1.0, build 9714adc6c7).
So it's confusing. I won't investigate more for now.
Definitely looks to be related to non-Docker hub registries., I've tried three variations of the vex file. Results below:
Putting the affected NPM package in the root product@id
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-87eecb66df96f25f6ed58d1a9904dd737dfaa6c8594ff384d95eed60a5b7e7c9",
"author": "[email protected]",
"timestamp": "2024-04-30T16:13:24.1687828+10:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2022-25883"
},
"timestamp": "2024-04-30T16:13:24.1687828+10:00",
"products": [
{
"@id": "pkg:npm/[email protected]"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present - Package in root"
}
]
}
$ docker scout cves --vex-location ./vex tyler/plt-mock-hl7-server
✓ SBOM of image already cached, 375 packages indexed
✓ Loaded 1 VEX document
✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼─────────────────────────────────────
Target │ tyler/plt-mock-hl7-server:latest
digest │ 0358ff78ca86
platform │ linux/amd64
vulnerabilities │ 0C 0H 1M 0L 1?
size │ 65 MB
packages │ 375
## Packages and Vulnerabilities
0C 0H 1M 0L semver 5.7.1
pkg:npm/[email protected]
✗ MEDIUM CVE-2022-25883 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2022-25883
Affected range : <5.7.2
Fixed version : 5.7.2
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
VEX : not affected [vulnerable code not present - Package in root]
: [email protected]
Putting the Docker image in the root product@id and NPM package as a sub-component
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-87eecb66df96f25f6ed58d1a9904dd737dfaa6c8594ff384d95eed60a5b7e7c9",
"author": "[email protected]",
"timestamp": "2024-04-30T16:13:24.1687828+10:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2022-25883"
},
"timestamp": "2024-04-30T16:13:24.1687828+10:00",
"products": [
{
"@id": "pkg:docker/tyler/plt-mock-hl7-server",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present - using docker image as root"
}
]
}
$ docker scout cves --vex-location ./vex tyler/plt-mock-hl7-server
✓ SBOM of image already cached, 375 packages indexed
✓ Loaded 1 VEX document
✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼─────────────────────────────────────
Target │ tyler/plt-mock-hl7-server:latest
digest │ 0358ff78ca86
platform │ linux/amd64
vulnerabilities │ 0C 0H 1M 0L 1?
size │ 65 MB
packages │ 375
## Packages and Vulnerabilities
0C 0H 1M 0L semver 5.7.1
pkg:npm/[email protected]
✗ MEDIUM CVE-2022-25883 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2022-25883
Affected range : <5.7.2
Fixed version : 5.7.2
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
VEX : not affected [vulnerable code not present - using docker image as root]
: [email protected]
Putting the Private container registry in the root product@id and NPM package as a sub-component
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-87eecb66df96f25f6ed58d1a9904dd737dfaa6c8594ff384d95eed60a5b7e7c9",
"author": "[email protected]",
"timestamp": "2024-04-30T16:13:24.1687828+10:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2022-25883"
},
"timestamp": "2024-04-30T16:13:24.1687828+10:00",
"products": [
{
"@id": "pkg:docker/<ACR>.azurecr.io/tyler/plt-mock-hl7-server",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present - using private ACR as root"
}
]
}
$ docker scout cves --vex-location ./vex <ACR>.azurecr.io/tyler/plt-mock-hl7-server
✓ SBOM of image already cached, 375 packages indexed
✓ Loaded 1 VEX document
✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼──────────────────────────────────────────────────────────────
Target │ <ACR>.azurecr.io/tyler/plt-mock-hl7-server:latest
digest │ 0358ff78ca86
platform │ linux/amd64
vulnerabilities │ 0C 0H 1M 0L 1?
size │ 65 MB
packages │ 375
## Packages and Vulnerabilities
0C 0H 1M 0L semver 5.7.1
pkg:npm/[email protected]
✗ MEDIUM CVE-2022-25883 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2022-25883
Affected range : <5.7.2
Fixed version : 5.7.2
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Thanks for all the feedback. We found an issue and put a fix in. This will be released with the next version of the CLI.