internal/openvex: add initial support for identifying affected product #11
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
This PR (HEAD: a7b2b6a) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/vuln/+/594216. Important tips:
|
|
Message from Gopher Robot: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/594216. |
|
Message from Gopher Robot: Patch Set 1: Congratulations on opening your first change. Thank you for your contribution! Next steps: Most changes in the Go project go through a few rounds of revision. This can be Please don’t reply on this GitHub thread. Visit golang.org/cl/594216. |
|
Message from Guilherme Macedo: Patch Set 2: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/594216. |
|
Thanks for raising the issue. Note that this repo is a mirror and we hence don't accept pull requests. Also, this should be a proposal. I suggest opening an issue at golang/go (not vuln) issue tracker for this. Few things to consider in the proposal. You are choosing the product to be a module of the vulnerability. Should the product be the thing we analyzed instead? Also note that in principle a single osv can apply to multiple modules. Here are some challenges when assigning product ID based on the artifact govulncheck analyzed. What should the product be for:
|
|
Hey @zpavlinovic, thanks for your quick answer.
Yes, I saw that, but it wasn't clear if one should still submit the PR here and then follow in https://go-review.googlesource.com/c/vuln/+/594216 or if I should submit directly to Gerrit.
I made the issue golang/go#68152 when opening the PR. Is it enough or should it be more detailed?
The product is currently the directly affected package/path and its version, so it can be properly matched following the Purl spec and Trivy's rules as described in https://aquasecurity.github.io/trivy/v0.52/docs/supply-chain/vex/#purl-matching. Note that apparently there were some upstream discussions about this in OpenVEX's spec, see in openvex/spec#27.
From the tests that I executed, it will always be the affected {
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "govulncheck/vex:b414d0903ea6311bfbae48d731b1dddd9fa4c1d3a49b83862bca6c361775d949",
"author": "Unknown Author",
"timestamp": "2024-06-24T16:31:03.763850823Z",
"version": 1,
"tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
"statements": [
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-1546",
"name": "GO-2023-1546",
"description": "Denial of service in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",
"aliases": [
"CVE-2023-25151",
"GHSA-5r5m-65gx-7vrh"
]
},
"products": [
{
"@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2023-2113",
"name": "GO-2023-2113",
"description": "Memory exhaustion in go.opentelemetry.io/contrib/instrumentation",
"aliases": [
"CVE-2023-45142",
"GHSA-rcjv-mgp8-qvmr"
]
},
"products": [
{
"@id": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-2746",
"name": "GO-2024-2746",
"description": "Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin in k8s.io/kubernetes",
"aliases": [
"CVE-2024-3177",
"GHSA-pxhw-596r-rwq5"
]
},
"products": [
{
"@id": "pkg:golang/k8s.io/[email protected]"
}
],
"status": "affected"
}
]
}Please let me know if we should keep the discussion here or move to Gerrit or other place. Thanks! |
|
Typically, a direct Gerrit CL comes after a discussion on the proposal issue. The issue you created is fine. I suggest closing the pull requests here. We can continue the discussion on the issue. |
Signed-off-by: Guilherme Macedo <[email protected]>
macedogm
force-pushed
the
openvex-improvement
branch
from
a7b2b6a
to
a8fc0ed
Compare
|
This PR (HEAD: a8fc0ed) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/vuln/+/594216. Important tips:
|
|
@zpavlinovic closing the PR as requested and then moving our discussion to golang/go#68152. |
govulncheck currently doesn't include the affected product in the OpenVEX report. Instead, it always include
Unknown Product. Due to this, if the report is passed to Trivy astrivy repo --vex vex-report.json ..., no false positives will be removed, because Trivy cannot match the non affected package/version to the govulncheck report. The same also happens if Grype is used.This implementation is certainly not perfect, but can be used as a starting point to make the generated OpenVEX report useful on an automated manner with vulnerability scanners.
When generating the
purlidentifier for the Go package, thevin front of the version number is removed to match what is currently supported by the Purl spec. See the upstream Purl spec issues for more information about this on going discussion package-url/purl-spec#294 and package-url/purl-spec#63.Note: this is my first contribution to a Google/Go project and perhaps the code style isn't matching the expectations, so any feedback is appreciated.
Fixes golang/go#68152