Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: prototype of grype explain #1367

Merged
merged 49 commits into from
Sep 11, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
5f285f3
WIP - shell to work on explain functionality
willmurphyscode Jun 12, 2023
9a128d4
Add more info to explain output
willmurphyscode Jun 26, 2023
de59922
Dedube URLs and include related CVEs
willmurphyscode Jun 26, 2023
6e1cd7d
Fix CPE; clarify found vs searchedBy
willmurphyscode Jun 26, 2023
342c181
Group packages by PURL
willmurphyscode Jun 27, 2023
9dbd15a
Implement formatting suggestions
willmurphyscode Jun 28, 2023
79180bc
Distinguish direct and related matches
willmurphyscode Jun 28, 2023
8cb78a7
WIP: add new explain files
willmurphyscode Jun 30, 2023
5dc174e
WIP: trying to get match details and locations explained
willmurphyscode Jun 30, 2023
6553fe4
Fixed explanations
willmurphyscode Jun 30, 2023
1eeecb3
Remove primary vulnerability from related ones
willmurphyscode Jun 30, 2023
c724909
Re-arrange primary vs related
willmurphyscode Jun 30, 2023
7dca892
fix primary url
willmurphyscode Jun 30, 2023
7ce87f3
Deduplicate evidence by path
willmurphyscode Jul 12, 2023
df64730
Rebase on new package structure
willmurphyscode Jul 14, 2023
fc57e31
rename flag to --id
willmurphyscode Aug 31, 2023
8ae351e
put URLs after evidence
willmurphyscode Aug 31, 2023
acbc0e1
warn prototype and handle errors
willmurphyscode Aug 31, 2023
76444a6
move new code to own presenter
willmurphyscode Aug 31, 2023
4329894
nits in template - newline and conditional PURL line
willmurphyscode Aug 31, 2023
9c9a6aa
move still useful code out of old file and delete
willmurphyscode Sep 1, 2023
f559463
add snapshot test and fixtures
willmurphyscode Sep 1, 2023
03ed0a0
rename to get better out of struct name
willmurphyscode Sep 1, 2023
6856652
group by artifact ID not purl, since purls are not unique
willmurphyscode Sep 1, 2023
5f61853
make output more yaml-y
willmurphyscode Sep 1, 2023
004b357
fix snapshot test with stable order
willmurphyscode Sep 1, 2023
ee6238c
auto-lint
willmurphyscode Sep 1, 2023
d62b645
add additional test case
willmurphyscode Sep 1, 2023
aef2666
more linting
willmurphyscode Sep 1, 2023
d811906
more linting
willmurphyscode Sep 1, 2023
6c71546
remove unused graphIsByCVE
willmurphyscode Sep 1, 2023
3403056
almost all the linters
willmurphyscode Sep 1, 2023
fb6e5fd
extract url logic; still a few TODOs
willmurphyscode Sep 1, 2023
d2acd51
move sorting logic into evidence function
willmurphyscode Sep 1, 2023
7b2daef
little refactor
willmurphyscode Sep 5, 2023
3115451
WIP - mostly works, but lots of todos and comments to read
willmurphyscode Sep 6, 2023
c842674
snaps for new behavior
willmurphyscode Sep 6, 2023
7159855
clean up some old comments and todos
willmurphyscode Sep 6, 2023
4c4663a
stable sort of evidence
willmurphyscode Sep 6, 2023
0949a6d
add snap tests for GHSAs
willmurphyscode Sep 7, 2023
4bd3106
WIP: start re-arranging
willmurphyscode Sep 7, 2023
a9778c9
fix sorting: GHSA URLs earlier, exact direct matches earlier
willmurphyscode Sep 7, 2023
feb6776
looking nice
willmurphyscode Sep 7, 2023
978ab05
update snaps
willmurphyscode Sep 7, 2023
d944b37
clean up some comments; suppress one lint
willmurphyscode Sep 7, 2023
d2f0fbd
remove unused template
willmurphyscode Sep 7, 2023
8d07aa0
track test fixture
willmurphyscode Sep 7, 2023
03dc5db
clean up comments
willmurphyscode Sep 8, 2023
b6ccb2e
more comment cleanup
willmurphyscode Sep 11, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions cmd/grype/cli/legacy/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ func init() {
)
}

func NewCli() *cobra.Command {
rootCmd.AddCommand(explainCmd)
return rootCmd
}

func Execute() {
if err := rootCmd.Execute(); err != nil {
_ = stderrPrintLnf(err.Error())
Expand Down
51 changes: 51 additions & 0 deletions cmd/grype/cli/legacy/explain.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
package legacy

import (
"encoding/json"
"fmt"
"os"

"github.com/spf13/cobra"

"github.com/anchore/grype/grype/presenter/explain"
"github.com/anchore/grype/grype/presenter/models"
"github.com/anchore/grype/internal"
"github.com/anchore/grype/internal/log"
)

var cveIDs []string

var explainCmd = &cobra.Command{
Use: "explain --id [VULNERABILITY ID]",
Short: "Ask grype to explain a set of findings",
RunE: func(cmd *cobra.Command, args []string) error {
log.Warn("grype explain is a prototype feature and is subject to change")
isStdinPipeOrRedirect, err := internal.IsStdinPipeOrRedirect()
if err != nil {
log.Warnf("unable to determine if there is piped input: %+v", err)
isStdinPipeOrRedirect = false
}
if isStdinPipeOrRedirect {
// TODO: eventually detect different types of input; for now assume grype json
var parseResult models.Document
decoder := json.NewDecoder(os.Stdin)
err := decoder.Decode(&parseResult)
if err != nil {
return fmt.Errorf("unable to parse piped input: %+v", err)
}
explainer := explain.NewVulnerabilityExplainer(os.Stdout, &parseResult)
return explainer.ExplainByID(cveIDs)
}
// perform a scan, then explain requested CVEs
// TODO: implement
spiffcs marked this conversation as resolved.
Show resolved Hide resolved
return fmt.Errorf("requires grype json on stdin, please run 'grype -o json ... | grype explain ...'")
},
}

func init() {
setExplainFlags(explainCmd)
}

func setExplainFlags(cmd *cobra.Command) {
cmd.Flags().StringArrayVarP(&cveIDs, "id", "", nil, "CVE ID to explain")
}
10 changes: 9 additions & 1 deletion cmd/grype/main.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,17 @@
package main

import (
"os"

"github.com/anchore/grype/cmd/grype/cli/legacy"
"github.com/anchore/grype/internal/log"
)

func main() {
legacy.Execute()
cli := legacy.NewCli()
err := cli.Execute()
if err != nil {
log.Error(err)
os.Exit(1)
}
}
108 changes: 108 additions & 0 deletions grype/presenter/explain/__snapshots__/explain_snapshot_test.snap
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@

[TestExplainSnapshot/keycloak-CVE-2020-12413 - 1]
CVE-2020-12413 from nvd:cpe (Medium)
spiffcs marked this conversation as resolved.
Show resolved Hide resolved
The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.
Related vulnerabilities:
- redhat:distro:redhat:9 CVE-2020-12413 (Low)
Matched packages:
- Package: nss, version: 3.79.0-17.el9_1
PURL: pkg:rpm/rhel/nss@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1
Match explanation(s):
- redhat:distro:redhat:9:CVE-2020-12413 Direct match (package name, version, and ecosystem) against nss (version 3.79.0-17.el9_1).
Locations:
- /var/lib/rpm/rpmdb.sqlite
- Package: nspr, version: 4.34.0-17.el9_1
PURL: pkg:rpm/rhel/nspr@4.34.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1
Match explanation(s):
- redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package.
Locations:
- /var/lib/rpm/rpmdb.sqlite
- Package: nss-softokn, version: 3.79.0-17.el9_1
PURL: pkg:rpm/rhel/nss-softokn@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1
Match explanation(s):
- redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package.
Locations:
- /var/lib/rpm/rpmdb.sqlite
- Package: nss-softokn-freebl, version: 3.79.0-17.el9_1
PURL: pkg:rpm/rhel/nss-softokn-freebl@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1
Match explanation(s):
- redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package.
Locations:
- /var/lib/rpm/rpmdb.sqlite
- Package: nss-sysinit, version: 3.79.0-17.el9_1
PURL: pkg:rpm/rhel/nss-sysinit@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1
Match explanation(s):
- redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package.
Locations:
- /var/lib/rpm/rpmdb.sqlite
- Package: nss-util, version: 3.79.0-17.el9_1
PURL: pkg:rpm/rhel/nss-util@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1
Match explanation(s):
- redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package.
Locations:
- /var/lib/rpm/rpmdb.sqlite
URLs:
- https://nvd.nist.gov/vuln/detail/CVE-2020-12413
- https://access.redhat.com/security/cve/CVE-2020-12413

---

[TestExplainSnapshot/chainguard-ruby-CVE-2023-28755 - 1]
CVE-2023-28755 from nvd:cpe (High)
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
Related vulnerabilities:
- github:language:ruby GHSA-hv5j-3h9f-99c2 (High)
- wolfi:distro:wolfi:rolling CVE-2023-28755 (High)
Matched packages:
- Package: ruby-3.0, version: 3.0.4-r1
PURL: pkg:apk/wolfi/ruby-3.0@3.0.4-r1?arch=aarch64&distro=wolfi-20221118
Match explanation(s):
- wolfi:distro:wolfi:rolling:CVE-2023-28755 Direct match (package name, version, and ecosystem) against ruby-3.0 (version 3.0.4-r1).
- nvd:cpe:CVE-2023-28755 CPE match on `cpe:2.3:a:ruby-lang:uri:0.10.1:*:*:*:*:*:*:*`.
- wolfi:distro:wolfi:rolling:CVE-2023-28755 Indirect match; this CVE is reported against ruby-3.0 (version 3.0.4-r1), the upstream of this apk package.
Locations:
- /usr/lib/ruby/gems/3.0.0/specifications/default/uri-0.10.1.gemspec
- /lib/apk/db/installed
URLs:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28755
- https://github.com/advisories/GHSA-hv5j-3h9f-99c2
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28755

---

[TestExplainSnapshot/test_a_GHSA - 1]
GHSA-cfh5-3ghh-wfjx from github:language:java (Medium)
Moderate severity vulnerability that affects org.apache.httpcomponents:httpclient
Related vulnerabilities:
- nvd:cpe CVE-2014-3577 (Medium)
Matched packages:
- Package: httpclient, version: 4.1.1
PURL: pkg:maven/org.apache.httpcomponents/httpclient@4.1.1
Match explanation(s):
- github:language:java:GHSA-cfh5-3ghh-wfjx Direct match (package name, version, and ecosystem) against httpclient (version 4.1.1).
Locations:
- /TwilioNotifier.hpi:WEB-INF/lib/sdk-3.0.jar:httpclient
URLs:
- https://github.com/advisories/GHSA-cfh5-3ghh-wfjx
- https://nvd.nist.gov/vuln/detail/CVE-2014-3577

---

[TestExplainSnapshot/test_a_CVE_alias_of_a_GHSA - 1]
CVE-2014-3577 from nvd:cpe (Medium)
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Related vulnerabilities:
- github:language:java GHSA-cfh5-3ghh-wfjx (Medium)
Matched packages:
- Package: httpclient, version: 4.1.1
PURL: pkg:maven/org.apache.httpcomponents/httpclient@4.1.1
Match explanation(s):
- github:language:java:GHSA-cfh5-3ghh-wfjx Direct match (package name, version, and ecosystem) against httpclient (version 4.1.1).
- nvd:cpe:CVE-2014-3577 CPE match on `cpe:2.3:a:apache:httpclient:4.1.1:*:*:*:*:*:*:*`.
Locations:
- /TwilioNotifier.hpi:WEB-INF/lib/sdk-3.0.jar:httpclient
URLs:
- https://nvd.nist.gov/vuln/detail/CVE-2014-3577
- https://github.com/advisories/GHSA-cfh5-3ghh-wfjx

---
Loading