Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

internal/openvex: add initial support for identifying affected product #11

Closed
wants to merge 1 commit into from

Conversation

macedogm
Copy link

@macedogm macedogm commented Jun 23, 2024

govulncheck currently doesn't include the affected product in the OpenVEX report. Instead, it always include Unknown Product. Due to this, if the report is passed to Trivy as trivy repo --vex vex-report.json ..., no false positives will be removed, because Trivy cannot match the non affected package/version to the govulncheck report. The same also happens if Grype is used.

This implementation is certainly not perfect, but can be used as a starting point to make the generated OpenVEX report useful on an automated manner with vulnerability scanners.

When generating the purl identifier for the Go package, the v in front of the version number is removed to match what is currently supported by the Purl spec. See the upstream Purl spec issues for more information about this on going discussion package-url/purl-spec#294 and package-url/purl-spec#63.

Note: this is my first contribution to a Google/Go project and perhaps the code style isn't matching the expectations, so any feedback is appreciated.

Fixes golang/go#68152

Copy link

google-cla bot commented Jun 23, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@gopherbot
Copy link
Contributor

This PR (HEAD: a7b2b6a) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/vuln/+/594216.

Important tips:

  • Don't comment on this PR. All discussion takes place in Gerrit.
  • You need a Gmail or other Google account to log in to Gerrit.
  • To change your code in response to feedback:
    • Push a new commit to the branch used by your GitHub PR.
    • A new "patch set" will then appear in Gerrit.
    • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
    • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
    • Multiple commits in the PR will be squashed by GerritBot.
  • The title and description of the GitHub PR are used to construct the final commit message.
    • Edit these as needed via the GitHub web interface (not via Gerrit or git).
    • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
  • See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

@gopherbot
Copy link
Contributor

Message from Gopher Robot:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/594216.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Gopher Robot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://go.dev/doc/contribute#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.


Please don’t reply on this GitHub thread. Visit golang.org/cl/594216.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Guilherme Macedo:

Patch Set 2:

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/594216.
After addressing review feedback, remember to publish your drafts!

@zpavlinovic
Copy link
Contributor

Thanks for raising the issue. Note that this repo is a mirror and we hence don't accept pull requests.

Also, this should be a proposal. I suggest opening an issue at golang/go (not vuln) issue tracker for this.

Few things to consider in the proposal. You are choosing the product to be a module of the vulnerability. Should the product be the thing we analyzed instead? Also note that in principle a single osv can apply to multiple modules.

Here are some challenges when assigning product ID based on the artifact govulncheck analyzed. What should the product be for:

  • govulncheck ./...
  • govulncheck ./specific/package
  • govulncheck -mode binary bin, where bin is one of many binaries built from the module

@macedogm
Copy link
Author

Hey @zpavlinovic, thanks for your quick answer.

Thanks for raising the issue. Note that this repo is a mirror and we hence don't accept pull requests.

Yes, I saw that, but it wasn't clear if one should still submit the PR here and then follow in https://go-review.googlesource.com/c/vuln/+/594216 or if I should submit directly to Gerrit.

Also, this should be a proposal. I suggest opening an issue at golang/go (not vuln) issue tracker for this.

I made the issue golang/go#68152 when opening the PR. Is it enough or should it be more detailed?

Few things to consider in the proposal. You are choosing the product to be a module of the vulnerability. Should the product be the thing we analyzed instead? Also note that in principle a single osv can apply to multiple modules.

The product is currently the directly affected package/path and its version, so it can be properly matched following the Purl spec and Trivy's rules as described in https://aquasecurity.github.io/trivy/v0.52/docs/supply-chain/vex/#purl-matching. Note that apparently there were some upstream discussions about this in OpenVEX's spec, see in openvex/spec#27.

Here are some challenges when assigning product ID based on the artifact govulncheck analyzed. What should the product be for: (...)

From the tests that I executed, it will always be the affected package@version where the vulnerability was reported in OSV. See an example below which has the same output for both source and binary scans.

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "govulncheck/vex:b414d0903ea6311bfbae48d731b1dddd9fa4c1d3a49b83862bca6c361775d949",
  "author": "Unknown Author",
  "timestamp": "2024-06-24T16:31:03.763850823Z",
  "version": 1,
  "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
  "statements": [
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2023-1546",
        "name": "GO-2023-1546",
        "description": "Denial of service in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",
        "aliases": [
          "CVE-2023-25151",
          "GHSA-5r5m-65gx-7vrh"
        ]
      },
      "products": [
        {
          "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_present",
      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2023-2113",
        "name": "GO-2023-2113",
        "description": "Memory exhaustion in go.opentelemetry.io/contrib/instrumentation",
        "aliases": [
          "CVE-2023-45142",
          "GHSA-rcjv-mgp8-qvmr"
        ]
      },
      "products": [
        {
          "@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path",
      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2024-2746",
        "name": "GO-2024-2746",
        "description": "Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin in k8s.io/kubernetes",
        "aliases": [
          "CVE-2024-3177",
          "GHSA-pxhw-596r-rwq5"
        ]
      },
      "products": [
        {
          "@id": "pkg:golang/k8s.io/[email protected]"
        }
      ],
      "status": "affected"
    }
  ]
}

Please let me know if we should keep the discussion here or move to Gerrit or other place. Thanks!

@zpavlinovic
Copy link
Contributor

Typically, a direct Gerrit CL comes after a discussion on the proposal issue. The issue you created is fine. I suggest closing the pull requests here. We can continue the discussion on the issue.

@macedogm macedogm force-pushed the openvex-improvement branch from a7b2b6a to a8fc0ed Compare June 25, 2024 13:48
@gopherbot
Copy link
Contributor

This PR (HEAD: a8fc0ed) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/vuln/+/594216.

Important tips:

  • Don't comment on this PR. All discussion takes place in Gerrit.
  • You need a Gmail or other Google account to log in to Gerrit.
  • To change your code in response to feedback:
    • Push a new commit to the branch used by your GitHub PR.
    • A new "patch set" will then appear in Gerrit.
    • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
    • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
    • Multiple commits in the PR will be squashed by GerritBot.
  • The title and description of the GitHub PR are used to construct the final commit message.
    • Edit these as needed via the GitHub web interface (not via Gerrit or git).
    • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
  • See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

@macedogm
Copy link
Author

@zpavlinovic closing the PR as requested and then moving our discussion to golang/go#68152.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

x/vuln: OpenVEX report lacks affected product
3 participants