From 84784f28073b8987b6d25706474eecc0c96a8d65 Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Thu, 18 Jan 2024 11:14:44 +0000 Subject: [PATCH 01/10] Added security advisories video. Signed-off-by: Adrian Mouat --- .../videos/security_advisories.md | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 content/chainguard/chainguard-images/videos/security_advisories.md diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md new file mode 100644 index 0000000000..f325af0f0a --- /dev/null +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -0,0 +1,90 @@ +--- +title: "How to use Chainguard Security Advisories and the Diff API" +linktitle: "Minimal Runtime Images" +lead: "" +description: "How to use security advisories and the diff API to investigate vulnerabilities +affecting Chainguard images" +type: "article" +date: 2024-01-18T01:21:01+00:00 +lastmod: 2024-01-18T15:21:01+00:00 +draft: false +images: [] +menu: + docs: + parent: "chainguard-images" +weight: 10 +toc: true +--- + +{{< youtube ExZxIWmnm1s >}} + + +## Tools used in this video + +* [Chainguard Security Advisories](https://images.chainguard.dev/security) +* [chainctl](/chainguard/administration/how-to-install-chainctl/) +* [Docker](https://docker.com) +* [Docker Scout](https://docs.docker.com/scout/) + +## Related Article + +See [How to Use Chainguard Security Advisories](/chainguard/chainguard-images/security-advisories/) for a written article covering similar +content to this video. + +## Transcript + +0:05 So a question we sometimes get asked is how to investigate vulnerabilities found in Chainguard images and how you can figure out if there's a fix +0:15 so thanks to a new website and some new tooling this is pretty +0:19 straightforward so in this example we're +0:21 going to look at a slightly old golang +0:23 image and if we run Docker Scout or a +0:26 similar scanner we do get some results +0:31 so you can see in this image we found +0:34 11 +0:35 vulnerabilities and we're going to +0:37 investigate this one 2023 +0:42 44487 and we can see we're interested in +0:45 the nghttp2 package so I'm going to +0:50 copy that and I'm going to move to a +0:56 browser and here I have opened images.chainguard.dev/security and I can search by +1:02 that cve so that comes up. If I click +1:06 into this I can filter by packages so if +1:09 I put in nghttp2 +1:12 we can see that comes up +1:15 here and interestingly we can see see +1:19 the status is fixed it's fixed in +1:21 version 1.57 point0 r0 um and this +1:25 happened a while ago on October the 11th +1:29 so now now I'm fairly +1:34 sure that that vulnerability will be +1:36 gone because the image will have been +1:37 updated and indeed there we see there's +1:40 no vulnerabilities detected but we can +1:42 do bit more than that with a new diff +1:44 API we can actually look into the +1:46 differences between the 121.2 image and +1:49 the 121.5 image um this will take a +1:53 little moment to run note that I've +1:55 piped this through jq to format the +1:57 output and I've also saved it out to +1:59 file um so we can scroll through it and +2:02 see the output and look at it a little +2:04 bit easier so if I open this +2:08 file and we look at the bottom what we +2:11 have here is a list of the +2:13 vulnerabilities that have been removed +2:15 between the two versions of the image so +2:18 in this list I should see that 4487 +2:20 indeed it's here we're saying this cve +2:23 was +2:24 addressed and also if we search for NG +2:28 http2 we find it here and we see the +2:32 version has been updated so in the in +2:36 this version of the image we're running +2:39 on a newer version of injury H http2 +2:42 which is why that vulnerability has gone +2:44 away so there you have it that's how you +2:47 can um investigate cves and find out how +2:50 they were addressed and chain guard +2:51 images please do give this a go and let +2:54 me know how you get on From 023a7261fe8c14da48310f51dacfd9d53ffd27c6 Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Thu, 18 Jan 2024 11:20:32 +0000 Subject: [PATCH 02/10] Fix link. Signed-off-by: Adrian Mouat --- .../chainguard/chainguard-images/videos/security_advisories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index f325af0f0a..09323dce54 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -1,6 +1,6 @@ --- title: "How to use Chainguard Security Advisories and the Diff API" -linktitle: "Minimal Runtime Images" +linktitle: "Chainguard Security Advisories & Diff API" lead: "" description: "How to use security advisories and the diff API to investigate vulnerabilities affecting Chainguard images" From b1b18ea13301d104072493498e3ac0c275ad9854 Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Thu, 18 Jan 2024 11:24:48 +0000 Subject: [PATCH 03/10] Look into formatting problem. Signed-off-by: Adrian Mouat --- .../chainguard-images/videos/security_advisories.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index 09323dce54..0350a75660 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -18,7 +18,6 @@ toc: true {{< youtube ExZxIWmnm1s >}} - ## Tools used in this video * [Chainguard Security Advisories](https://images.chainguard.dev/security) @@ -34,8 +33,11 @@ content to this video. ## Transcript 0:05 So a question we sometimes get asked is how to investigate vulnerabilities found in Chainguard images and how you can figure out if there's a fix + 0:15 so thanks to a new website and some new tooling this is pretty + 0:19 straightforward so in this example we're + 0:21 going to look at a slightly old golang 0:23 image and if we run Docker Scout or a 0:26 similar scanner we do get some results From bdca73298d2f54d5c4dd11dfed192c515f57bf27 Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Thu, 18 Jan 2024 11:38:12 +0000 Subject: [PATCH 04/10] Fix formatting. Signed-off-by: Adrian Mouat --- .../videos/security_advisories.md | 58 ++++++++++++++++++- 1 file changed, 55 insertions(+), 3 deletions(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index 0350a75660..3cee4dc838 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -39,54 +39,106 @@ content to this video. 0:19 straightforward so in this example we're 0:21 going to look at a slightly old golang + 0:23 image and if we run Docker Scout or a + 0:26 similar scanner we do get some results + 0:31 so you can see in this image we found + 0:34 11 + 0:35 vulnerabilities and we're going to + 0:37 investigate this one 2023 + 0:42 44487 and we can see we're interested in + 0:45 the nghttp2 package so I'm going to + 0:50 copy that and I'm going to move to a + 0:56 browser and here I have opened images.chainguard.dev/security and I can search by + 1:02 that cve so that comes up. If I click + 1:06 into this I can filter by packages so if + 1:09 I put in nghttp2 + 1:12 we can see that comes up + 1:15 here and interestingly we can see see + 1:19 the status is fixed it's fixed in + 1:21 version 1.57 point0 r0 um and this + 1:25 happened a while ago on October the 11th + 1:29 so now now I'm fairly + 1:34 sure that that vulnerability will be + 1:36 gone because the image will have been + 1:37 updated and indeed there we see there's + 1:40 no vulnerabilities detected but we can + 1:42 do bit more than that with a new diff + 1:44 API we can actually look into the + 1:46 differences between the 121.2 image and + 1:49 the 121.5 image um this will take a + 1:53 little moment to run note that I've + 1:55 piped this through jq to format the + 1:57 output and I've also saved it out to + 1:59 file um so we can scroll through it and + 2:02 see the output and look at it a little + 2:04 bit easier so if I open this + 2:08 file and we look at the bottom what we + 2:11 have here is a list of the + 2:13 vulnerabilities that have been removed + 2:15 between the two versions of the image so + 2:18 in this list I should see that 4487 + 2:20 indeed it's here we're saying this cve + 2:23 was + 2:24 addressed and also if we search for NG + 2:28 http2 we find it here and we see the + 2:32 version has been updated so in the in + 2:36 this version of the image we're running -2:39 on a newer version of injury H http2 + +2:39 on a newer version of +nghttp2 + 2:42 which is why that vulnerability has gone + 2:44 away so there you have it that's how you -2:47 can um investigate cves and find out how -2:50 they were addressed and chain guard + +2:47 can investigate CVEs and find out how + +2:50 they were addressed and Chainguard + 2:51 images please do give this a go and let + 2:54 me know how you get on From 06cd99bafb8a648c32ab82edc0c7dd374105609d Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Fri, 19 Jan 2024 10:08:01 +0000 Subject: [PATCH 05/10] Update content/chainguard/chainguard-images/videos/security_advisories.md Co-authored-by: Mark Drake <33191761+SharpRake@users.noreply.github.com> Signed-off-by: Adrian Mouat --- .../chainguard/chainguard-images/videos/security_advisories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index 3cee4dc838..e19b6b3180 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -44,7 +44,7 @@ content to this video. 0:26 similar scanner we do get some results -0:31 so you can see in this image we found +0:31 so you can see in this image we found 11 0:34 11 From da1da27f982333e98c14e0f3229807343a995a3e Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Fri, 19 Jan 2024 10:08:22 +0000 Subject: [PATCH 06/10] Update content/chainguard/chainguard-images/videos/security_advisories.md Co-authored-by: Mark Drake <33191761+SharpRake@users.noreply.github.com> Signed-off-by: Adrian Mouat --- .../chainguard/chainguard-images/videos/security_advisories.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index e19b6b3180..f2878eb19c 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -46,7 +46,6 @@ content to this video. 0:31 so you can see in this image we found 11 -0:34 11 0:35 vulnerabilities and we're going to From 1680450ca119cb7b5a1ff133a939e550eb050173 Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Fri, 19 Jan 2024 10:08:34 +0000 Subject: [PATCH 07/10] Update content/chainguard/chainguard-images/videos/security_advisories.md Co-authored-by: Mark Drake <33191761+SharpRake@users.noreply.github.com> Signed-off-by: Adrian Mouat --- .../chainguard/chainguard-images/videos/security_advisories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index f2878eb19c..b0743650a8 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -115,7 +115,7 @@ content to this video. 2:18 in this list I should see that 4487 -2:20 indeed it's here we're saying this cve +2:20 indeed it's here we're saying this cve was 2:23 was From e58eb90d8f51d9e76294808273c79eecadd440be Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Fri, 19 Jan 2024 10:08:40 +0000 Subject: [PATCH 08/10] Update content/chainguard/chainguard-images/videos/security_advisories.md Co-authored-by: Mark Drake <33191761+SharpRake@users.noreply.github.com> Signed-off-by: Adrian Mouat --- .../chainguard/chainguard-images/videos/security_advisories.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index b0743650a8..325af4b00e 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -117,7 +117,6 @@ content to this video. 2:20 indeed it's here we're saying this cve was -2:23 was 2:24 addressed and also if we search for NG From 2f478c4068c199ca6074ecbed03f44f810a0c914 Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Fri, 19 Jan 2024 10:10:40 +0000 Subject: [PATCH 09/10] Change weight of page so it's not at the top. Signed-off-by: Adrian Mouat --- .../chainguard/chainguard-images/videos/security_advisories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index 325af4b00e..e224cccb46 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -12,7 +12,7 @@ images: [] menu: docs: parent: "chainguard-images" -weight: 10 +weight: 5 toc: true --- From aba026518397e43dba0839b7af79343c3139ed9f Mon Sep 17 00:00:00 2001 From: Adrian Mouat Date: Fri, 19 Jan 2024 10:33:12 +0000 Subject: [PATCH 10/10] Increase weight. Do heavy things sink? Who'd have thought. Signed-off-by: Adrian Mouat --- .../chainguard/chainguard-images/videos/security_advisories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/chainguard/chainguard-images/videos/security_advisories.md b/content/chainguard/chainguard-images/videos/security_advisories.md index e224cccb46..21288fa27e 100644 --- a/content/chainguard/chainguard-images/videos/security_advisories.md +++ b/content/chainguard/chainguard-images/videos/security_advisories.md @@ -12,7 +12,7 @@ images: [] menu: docs: parent: "chainguard-images" -weight: 5 +weight: 20 toc: true ---