grype
grype copied to clipboard
Published
20 hours ago •
anchore
anchore
feat(vex): CSAF support
Following https://github.com/anchore/grype/pull/1397, this PR extends VEX support for ignoring/adding matches based on Vulnerability Exploitability Exchange data so it also accepts CSAF format.
The PR also refactors the grype/vex package since now there's more than one supported VEX format (CSAF & OpenVEX) and it requires the vex processor to be able to distinguish between VEX formats and apply a different implementation.
Credits to @joancafom as the designer of this implementation.
Use case
Given a CSAF VEX document such as the one below:
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "Example Company VEX document. Unofficial content for demonstration purposes only.",
"title": "Author comment"
}
],
"publisher": {
"category": "vendor",
"name": "Example Company ProductCERT",
"namespace": "https://psirt.example.com"
},
"title": "AquaSecurity example VEX document",
"tracking": {
"current_release_date": "2022-03-03T11:00:00.000Z",
"generator": {
"date": "2022-03-03T11:00:00.000Z",
"engine": {
"name": "Secvisogram",
"version": "1.11.0"
}
},
"id": "2022-EVD-UC-01-A-001",
"initial_release_date": "2022-03-03T11:00:00.000Z",
"revision_history": [
{
"date": "2022-03-03T11:00:00.000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.6.0",
"product": {
"name": "Spring Boot 2.6.0",
"product_id": "SPB-00260",
"product_identification_helper": {
"purl": "pkg:apk/alpine/[email protected]?arch=aarch64&upstream=openssl&distro=alpine-3.17.3"
}
}
}
],
"category": "product_name",
"name": "Spring Boot"
}
],
"category": "vendor",
"name": "Spring"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-1255",
"notes": [
{
"category": "description",
"text": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"title": "CVE description"
}
],
"product_status": {
"known_not_affected": [
"SPB-00260"
]
},
"threats": [
{
"category": "impact",
"details": "Class with vulnerable code was removed before shipping.",
"product_ids": [
"SPB-00260"
]
}
]
}
]
}
You can use it so Grype suppresses the vulnerability which status is known_not_affected given the justification Class with vulnerable code was removed before shipping:
$ go run ./cmd/grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --vex csaf-demo.json --show-suppressed
✔ Vulnerability DB [no update available]
✔ Loaded image alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
✔ Parsed image sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
✔ Cataloged contents d0279448938d2200b7dcdcb5dcf5801569b25f549e5c744ca4bcdd52f7367628
├── ✔ Packages [15 packages]
├── ✔ File digests [78 files]
├── ✔ File metadata [78 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [21 vulnerability matches]
├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
└── by status: 22 fixed, 0 not-fixed, 1 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libcrypto3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libcrypto3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libcrypto3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libcrypto3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libcrypto3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libcrypto3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libcrypto3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libcrypto3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libcrypto3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
libcrypto3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium (suppressed by VEX)
libssl3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libssl3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libssl3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libssl3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libssl3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libssl3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libssl3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libssl3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libssl3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libssl3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libssl3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
