Skip to content

Commit

Permalink
Add known VEX files to build process (#1969)
Browse files Browse the repository at this point in the history
  • Loading branch information
@timothycarambat
timothycarambat authored Jul 25, 2024
1 parent fe07d0c commit a7010fd
Show file tree
Hide file tree
Showing 6 changed files with 124 additions and 66 deletions.
37 changes: 36 additions & 1 deletion .github/workflows/build-and-push-image.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ on:
- '.github/ISSUE_TEMPLATE/**/*'
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
- 'docker/vex/*' # CVE exceptions we know are not in risk

jobs:
push_multi_platform_to_registries:
Expand Down Expand Up @@ -95,3 +94,39 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

# For Docker scout there are some intermediary reported CVEs which exists outside
# of execution content or are unreachable by an attacker but exist in image.
# We create VEX files for these so they don't show in scout summary.
- name: Collect known and verified CVE exceptions
id: cve-list
run: |
# Collect CVEs from filenames in vex folder
CVE_NAMES=""
for file in ./docker/vex/*.vex.json; do
[ -e "$file" ] || continue
filename=$(basename "$file")
stripped_filename=${filename%.vex.json}
CVE_NAMES+=" $stripped_filename"
done
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
shell: bash

# About VEX attestations https://docs.docker.com/scout/explore/exceptions/
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
- name: Add VEX attestations
env:
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
run: |
echo $CVE_EXCEPTIONS
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
for cve in $CVE_EXCEPTIONS; do
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
echo "Attaching VEX exception $cve to $tag"
docker scout attestation add \
--file "./docker/vex/$cve.vex.json" \
--predicate-type https://openvex.dev/ns/v0.2.0 \
$tag
done
done
shell: bash
43 changes: 40 additions & 3 deletions .github/workflows/dev-build.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
name: Publish AnythingLLM Development Docker image (amd64)
name: AnythingLLM Development Docker image (amd64)

concurrency:
group: build-${{ github.ref }}
cancel-in-progress: true

on:
push:
branches: ['jwt-bump'] # put your current branch to create a build. Core team only.
branches: ['vex'] # put your current branch to create a build. Core team only.
paths-ignore:
- '**.md'
- 'cloud-deployments/*'
Expand All @@ -16,7 +16,6 @@ on:
- '.github/ISSUE_TEMPLATE/**/*'
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
- 'docker/vex/*' # CVE exceptions we know are not in risk

jobs:
push_multi_platform_to_registries:
Expand Down Expand Up @@ -75,3 +74,41 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

# For Docker scout there are some intermediary reported CVEs which exists outside
# of execution content or are unreachable by an attacker but exist in image.
# We create VEX files for these so they don't show in scout summary.
- name: Collect known and verified CVE exceptions
id: cve-list
run: |
# Collect CVEs from filenames in vex folder
CVE_NAMES=""
for file in ./docker/vex/*.vex.json; do
[ -e "$file" ] || continue
filename=$(basename "$file")
stripped_filename=${filename%.vex.json}
CVE_NAMES+=" $stripped_filename"
done
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
shell: bash

# About VEX attestations https://docs.docker.com/scout/explore/exceptions/
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
- name: Add VEX attestations
env:
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
run: |
echo $CVE_EXCEPTIONS
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
for cve in $CVE_EXCEPTIONS; do
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
echo "Attaching VEX exception $cve to $tag"
docker scout attestation add \
--file "./docker/vex/$cve.vex.json" \
--predicate-type https://openvex.dev/ns/v0.2.0 \
$tag
done
done
shell: bash


33 changes: 2 additions & 31 deletions docker/vex/CVE-2019-10790.vex.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,40 +12,11 @@
"timestamp": "2024-07-22T13:49:12.883678-07:00",
"products": [
{
"@id": "pkg:docker/mintplexlabs/anythingllm@render",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@railway",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@latest",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@master",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
"@id": "pkg:npm/[email protected]"
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
"justification": "vulnerable_code_not_in_execute_path"
}
]
}
22 changes: 22 additions & 0 deletions docker/vex/CVE-2024-29415.vex.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
"author": "[email protected]",
"timestamp": "2024-07-19T16:08:47.147169-07:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2024-29415"
},
"timestamp": "2024-07-19T16:08:47.147172-07:00",
"products": [
{
"@id": "pkg:npm/[email protected]"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present"
}
]
}
33 changes: 2 additions & 31 deletions docker/vex/CVE-2024-37890.vex.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,40 +12,11 @@
"timestamp": "2024-07-19T16:08:47.147172-07:00",
"products": [
{
"@id": "pkg:docker/mintplexlabs/anythingllm@render",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@railway",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@latest",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@master",
"subcomponents": [
{
"@id": "pkg:npm/[email protected]"
}
]
"@id": "pkg:npm/[email protected]"
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
"justification": "vulnerable_code_not_in_execute_path"
}
]
}
22 changes: 22 additions & 0 deletions docker/vex/CVE-2024-4068.vex.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
"author": "[email protected]",
"timestamp": "2024-07-19T16:08:47.147169-07:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2024-4068"
},
"timestamp": "2024-07-19T16:08:47.147172-07:00",
"products": [
{
"@id": "pkg:npm/[email protected]"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present"
}
]
}

0 comments on commit a7010fd

Please sign in to comment.