-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Expose Ubuntu fix status for downstream consumption #407
Conversation
…ity#403) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whilst I'm not a maintainer here, I am aware of the scope of this work and did work on the RHEL changes for fix status, so thought I'd add some review comments to try and help to save some time for the reviewers.
@jhebden-gl Thanks or the feedback. I have pushed a new change set with your suggested changes |
Hi @knqyf263 👋🏻 - I was wondering if you might be able to assist with a review on this PR? We are hoping to use this data downstream. Thank you! |
pkg/vulnsrc/ubuntu/ubuntu.go
Outdated
// StatusFromUbuntuStatus normalises Ubuntu status into common Trivy Types | ||
func StatusFromUbuntuStatus(status string) types.Status { | ||
switch status { | ||
case "not-affected", "DNE", "not-vulnerable", "ignored": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think not-affected
, DNE
and not-vulnerable
are "Will not fix". They're "Not affected", and we don't want to save them in the database as it increases the size.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree.
I will push a change set for this today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ignored
makes sense to me as it's considered "Will not fix".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@knqyf263 I have pushed all the tidy up changes. Please re-review when you have a chance.
Thanks
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fix linter error, please
https://github.com/aquasecurity/trivy-db/actions/runs/9608945100/job/26502649422?pr=407#step:4:26
Done :) |
@skahn007gl Thanks for updating. At last, could you add a test with a non-fixed status? Adding a new advisory or updating the existing one. |
@skahn007gl Also, could you open a PR with this change in Trivy? It's better to test this change with Trivy before merging this PR.
Tips: Use replace until this PR gets merged. |
"Note": "" | ||
} | ||
}, | ||
"trusty": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The key must be a package name. Isn't trusty
a codename?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes it should be. I read xen
as xenial
, Will change the test data and get it pushed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test data updated and pushed.
Hey @knqyf263 I am unsure what needs to change in the existing integration tests.
This includes the status field in the .golden test data. I have made the other changes and raised a PR to Trivy :) |
There is a DB fixture here. We need to add a status here and ensure the status appears in the result. This bucket must also be updated if you want to add a new vulnerability. When adding a new bucket for Ubuntu, that needs to be added here. |
@knqyf263 How are the .golden files generated/created? I have updated the DB fixture with an existing CVE for ubuntu 18.04 that would have a non fixed status, but i'm unable to trigger a failure on the existing ubuntu18.04 integration tests. - bucket: ubuntu 18.04
pairs:
- bucket: libspring-java
pairs:
- key: CVE-2022-22965
value:
Status: deferred |
Lines 17 to 26 in 9bdfe07
|
Corrected to I am assuming I need to update If this is the case, How are the .golden files generated/created? Thanks for the help and guidance on this as I work through it. |
No, the test should fail due to a mismatch with the golden file. You need to update the golden file once you confirm the test fails. Did you update all the buckets I listed above? It may be easier for us to debug if you push the change to your PR in Trivy. |
Thanks for confirming, I agree it will be easier to debug if i share my changes. I will update the PR shortly. |
@knqyf263 I have pushed the updated DB fixture and OS bucket. Note the changes do not include the use of |
You added Ubuntu 21.10, but the scanned image is not Ubuntu 21.10. The data is not used. |
Adjusted to ubuntu 16.04 as there is an image under Successfully generated a failed test result. I am running the tests via Is there a way to generate the output from the comparison?. I have pushed my updates. |
Hey @knqyf263 I have simplified the integration test to use as much as existing as possible to understand how these tests hang together, I believe I am still missing something here.
When i run the integration test's, there is no test failure for I added some dummy data to to
|
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
pkg/vulnsrc/ubuntu/ubuntu.go
Outdated
func StatusFromUbuntuStatus(status string) types.Status { | ||
switch status { | ||
case "ignored": | ||
return types.StatusWillNotFix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took another read of the document.
https://askubuntu.com/questions/1509705/cve-questions-about-status/1509706#1509706
"ignored" support has ended for one reason or another/ end-of-life.
It looks like Ubuntu doesn't determine if the package is affected. So, if I understand correctly, we should not show this type of vulnerability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We consider this an intentional decision that is vendor will not fix
, this status is important in our downstream workflow and was included for this reason.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Will not fix" means "this package is affected by this flaw on this platform, but there is currently no intention to fix it." It's a Red Hat definition, but we follow it.
https://access.redhat.com/blogs/product-security/posts/2066793
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@knqyf263 Are you happy to proceed with this?
What do you need from me to get this merged?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@skahn007gl - it seems that treating ignored as wontfix is the issue here, as ignored/EOL findings are typically not ingested to reduce Trivy DB size. I think we can just skip ingesting ignored, we still have the "notaffected" status to determine if the outcome of analysis is that Ubuntu decided not to fix it. For EOL stuff, we can work that out another way on our end, and treat findings for EOL releases as wontfix if they don't have another status.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trivy is designed to minimize false positives as much as possible. EOL means unknown and is possibly a false positive, which is why we currently do not detect it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While i see the reasoning behind this and do not disagree, I am happy to follow guidance and remove the status for ubuntu.
@knqyf263 let me know if you feel strongly on removing ignored
for Ubuntu and i will make the changes.
I would like to highlight the ignored
is ingested for Debian in pkg/vulnsrc/debian.go:682
func newStatus(s string) types.Status {
switch strings.ToLower(s) {
// "end-of-life" is considered as vulnerable
// e.g. https://security-tracker.debian.org/tracker/CVE-2022-1488
case "no-dsa", "unfixed":
return types.StatusAffected
case "ignored":
return types.StatusWillNotFix
case "postponed":
return types.StatusFixDeferred
case "end-of-life":
return types.StatusEndOfLife
}
return types.StatusUnknown
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to highlight the ignored is ingested for Debian in pkg/vulnsrc/debian.go:682
We believe "ignored" in Debian differs from "ignored" in Ubuntu. They use the same term by chance. Please let us know if you find a document in which Debian also uses "ignored" for EOL.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @knqyf263, @jhebden-gl
I have removed ignored
status as we can make an assumption on wontfix
by presence of data (Affected), Deferred status, No fix version.
Signed-off-by: knqyf263 <knqyf263@gmail.com>
…)" This reverts commit 42b851c.
Summary
resolves #408
Trivy Ubuntu advisories provide a
FixedVersion
when there is a released fix for a package,Affected
can be inferred when the advisory is present without aFixedVersion
, it does not expose any other status that Canonical use to indicate the status of a fix. This is insufficient to infer a status ofignored
,pending
orneeded
as these status show the package is affected and in the process of getting to a fixed version or not if the status isignored
.This change exposes the Status provided in launchpad advisories without changed existing behaviour to populate the notes field in an advisory with
Status:$status
Changes
gitignore:21
:: name change ofcache
,assets
to_cache
,_assets
to reflect directory name change to support gopls lint ignore declaration of_
prefix on directories.MakeFile
:: Adjusting naming convention ofcache
&_assets
to avoid gopls linter causing max open file errors on MacOS.pkg/types/status.go
:: New status added to support all potential status on launchpad advisories.pkg/vulnsrc/ubuntu/ubuntu.go
:: Expanded target status to capture all provided status's. Adjusted logic to use these status. Added ubuntu status to trivy status normalisation function.pkg/vulnsrc/ubuntu/ubuntu_test.go
:: Added test for status normalisation.