Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vex): VEX Repository support #7206

Merged
merged 56 commits into from
Jul 25, 2024
Merged

feat(vex): VEX Repository support #7206

merged 56 commits into from
Jul 25, 2024

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Jul 22, 2024
edited
Loading

Description

This PR introduces VEX (Vulnerability Exploitability eXchange) Repository integration into Trivy. While Trivy currently supports VEX through the --vex flag for local VEX files, manually finding and managing relevant VEX documents for each scan is impractical and time-consuming for users. This new feature addresses this limitation by enabling automatic discovery and application of VEX data during vulnerability scans, primarily to filter out vulnerabilities that are not exploitable in the scanned context by leveraging community-maintained VEX information.

Usage

$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --show-suppressed
2024-07-20T11:22:58+04:00       INFO    [vex] The default repository config has been created    
file_path="/home/test/.trivy/vex/repository.yaml"
2024-07-20T11:23:23+04:00       INFO    [vex] Updating repository...    repo="default" url="https://github.com/aquasecurity/vexhub"
...

Suppressed Vulnerabilities (Total: 4)
=====================================
┌───────────────┬────────────────┬──────────┬──────────────┬───────────────────────────────────────────────────┬──────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │    Status    │                     Statement                     │                  Source                  │
├───────────────┼────────────────┼──────────┼──────────────┼───────────────────────────────────────────────────┼──────────────────────────────────────────┤
│ busybox       │ CVE-2023-42364 │ MEDIUM   │ not_affected │ vulnerable_code_cannot_be_controlled_by_adversary │ VEX Repository: default                  │
│               │                │          │              │                                                   │ (https://github.com/aquasecurity/vexhub) │
│               ├────────────────┤          │              │                                                   │                                          │
│               │ CVE-2023-42365 │          │              │                                                   │                                          │
│               │                │          │              │                                                   │                                          │
├───────────────┼────────────────┤          │              │                                                   │                                          │
│ busybox-binsh │ CVE-2023-42364 │          │              │                                                   │                                          │
│               │                │          │              │                                                   │                                          │
│               ├────────────────┤          │              │                                                   │                                          │
│               │ CVE-2023-42365 │          │              │                                                   │                                          │
│               │                │          │              │                                                   │                                          │
└───────────────┴────────────────┴──────────┴──────────────┴───────────────────────────────────────────────────┴──────────────────────────────────────────┘

New Features

  1. VEX Repository support:

    • Automatic download and caching of VEX data from configured repositories
    • Periodic updates based on repository-specific intervals
    • Filtering of vulnerabilities based on VEX information

  2. New CLI option:

    • --vex repo: Enable VEX repository integration during scans (extends the existing --vex flag)

  3. New CLI commands:

    • trivy vex repo init: Initialize the default VEX repository configuration
    • trivy vex repo list: List configured VEX repositories
    • trivy vex repo download: Pre-cache VEX data for configured repositories

  4. Cache management:

    • Use trivy clean --vex-repo to clear the VEX repository cache

Implementation Details

  • VEX repositories are configured in $HOME_DIR/.trivy/vex/repository.yaml
    • The default repository is VEX Hub.
  • VEX data is cached in $CACHE_DIR/vex/repositories/
  • The feature supports both HTTPS and GitHub-hosted repositories
  • VEX filtering is performed after the regular vulnerability scan
  • Users can add custom repositories that adhere to the VEX Repository Specification

Benefits

  • Enhanced accuracy: Filter out vulnerabilities that are not exploitable in the specific context of the scanned software
  • Focused remediation: Help security teams prioritize truly actionable vulnerabilities
  • Practical VEX utilization: Make VEX integration a viable option for day-to-day vulnerability management by automating the discovery and application of relevant VEX data
  • Flexibility: Support for multiple VEX sources, including custom repositories
  • Efficiency: Local caching with controlled update intervals

Next Steps

This feature is initially designed to be opt-in to allow for testing and feedback. Existing Trivy functionality remains unchanged unless the new VEX repository options are explicitly used. However, given the benefits of VEX integration, we plan to transition this feature to opt-out in a future release. This change will make VEX repository integration the default behavior, further enhancing Trivy's vulnerability scanning capabilities for all users.

Issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263
feat: add vex subcommand
547363a 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: adhere to VEX Repository Specification
6ab7fc8 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: inherit logger options for fatal errors
476dcfc 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: download VEX repos
d885ecf 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: add --vex-repos to 'trivy clean'
8ba0871 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
add 'trivy vex repo download'
319eb65 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: cache ETag
2b18878 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
TODO: refactor CycloneDX
d2ec227 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
refactor: always create parent map
c548e38 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
refactor: rename library to package
9787609 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
refactor: rename FilterOption to FilterOptions
71b8ca3 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: re-use the existing UID
6a0533d 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
refactor: re-define interface
7b35ccc 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test: fit for new interface
abd6ab9 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: re-use serial number from SBOM
7458b32 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: go-github may return nil for transport
1353291 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: store cache metadata for VEX repos
e969bf8 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: add RepositorySet
d098fb6 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat(csaf): support VEX source
430954e 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test: fix sources
34ade4b 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test(vex): add tests for repository set
33f8207 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test: add more vexr tests
3d6e0e3 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: skip repos that hasn't been downloaded
02e173a 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: use repository_url for OCI
ab19441 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: add "--vex repo"
0b8c2fd 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: add "enabled" field
03c707f 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: add authentication
82f9595 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test(vex): add tests for vex-repo
a22ad36 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: support version array
2609053 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test(vex): add tests for manager
438187d 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: support insecure in custom transport
7e24dca 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: lint issues
aec8684 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
ci: switch to ubuntu-latest
32bcd21 
ubuntu-latest-m is broken now.
TODO: switch it back to ubuntu-latest-m later

Signed-off-by: knqyf263 <[email protected]>
@knqyf263
docs: auto-generate
d5cc59d 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263 knqyf263 marked this pull request as ready for review July 23, 2024 06:47
@knqyf263
Copy link
Collaborator Author

@DmitriyLewen ubuntu-latest-m is still down. I switched it to ubuntu-latest so I can confirm this PR passes all tests. It's all green now, and I marked this PR ready for review. I'll change it back to ubuntu-latest-m after GitHub gets fixed.

DmitriyLewen
DmitriyLewen reviewed Jul 23, 2024
View reviewed changes
pkg/commands/app.go Outdated Show resolved Hide resolved
pkg/commands/app.go Outdated Show resolved Hide resolved
pkg/commands/app.go Show resolved Hide resolved
pkg/commands/operation/operation.go Outdated Show resolved Hide resolved
docs/docs/supply-chain/vex/repo.md Show resolved Hide resolved
pkg/commands/app.go Outdated Show resolved Hide resolved
pkg/commands/app.go Outdated Show resolved Hide resolved
pkg/vex/repo/repo.go Outdated Show resolved Hide resolved
pkg/vex/repo/repo_test.go Outdated Show resolved Hide resolved
pkg/vex/repo/manager.go Outdated Show resolved Hide resolved
knqyf263 and others added 10 commits July 23, 2024 15:26
@knqyf263 @DmitriyLewen
Update manager.go
422e03c 
Co-authored-by: DmitriyLewen <[email protected]>
@knqyf263
fix: cli usage
fca16cb 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263 @DmitriyLewen
Update pkg/commands/operation/operation.go
71c9bf3 
[skip ci]

Co-authored-by: DmitriyLewen <[email protected]>
@knqyf263
docs(cache): add a link to vex repo
642f2d9 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
revert: add parents flag
9881b0f 
[skip ci]

Signed-off-by: knqyf263 <[email protected]>
@knqyf263
chore: add a comment
19e60ba 
[skip ci]

Signed-off-by: knqyf263 <[email protected]>
@knqyf263
chore: add a long description
e02af76 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: delete unused field
424759e 
[skip ci]

Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: delete debug code
07ba807 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
docs: generate references
ae853ce 
Signed-off-by: knqyf263 <[email protected]>
DmitriyLewen
DmitriyLewen approved these changes Jul 25, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
left small comment

pkg/vex/repo.go Outdated Show resolved Hide resolved
@knqyf263
feat: show debug message once per package
1479468 
Showing debug messages per vulnerability may be too much.

Signed-off-by: knqyf263 <[email protected]>
DmitriyLewen
DmitriyLewen approved these changes Jul 25, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knqyf263 knqyf263 enabled auto-merge July 25, 2024 12:10
@knqyf263 knqyf263 added this pull request to the merge queue Jul 25, 2024
Merged via the queue into aquasecurity:main with commit 88ba460 Jul 25, 2024
17 checks passed
@knqyf263 knqyf263 deleted the feat/vexrepo branch July 25, 2024 12:42
@aqua-bot aqua-bot mentioned this pull request Jul 25, 2024
Merged
@DmitriyLewen DmitriyLewen mentioned this pull request Jul 29, 2024
Merged
7 tasks
@knqyf263 knqyf263 mentioned this pull request Jul 29, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(vex): add support for VEX Repository
2 participants
@knqyf263 @DmitriyLewen