-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Scout does not honor Chainguard's advisory data/secdb #71
Comments
Thanks for raising this.
Will do. Currently we do not have a definitive date to address this but will consider it based on customer feedback. |
Great, thanks @cdupuis! Ping me if I can help, too. 😃 |
Hi @cdupuis just a followup on this one, we are hearing about some false positives on scout scans, is this one getting worked? see my OP for links to guidance on scanner support for chainguard, the links give you all the details. |
We are now publishing our security advisory feeds in OSV format, if that helps @cdupuis |
Thanks for pointing that out. I clearly missed this and I can't find any reference in https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/foundational_concepts.md#security-data. Is this still the right place? Regarding the issue here, I fail to reproduce the behaviour described above for the sample image provided. See the following output:
Could you please provide an example of such a false positive report for us to verify? |
Note that since this issue was opened we started using the cosign delivered SBOMs for analysis on these images so the behaviour has changed. |
Thanks @cdupuis and @justincormack! With the recent changes, I think we're in a much better state. I'll reach back out if I see anything else come up 🙇 |
Thank you Chainguard team. I’ll close this here. Please feel free to open a new issue if you end up seeing other issues. |
After looking at more test cases, it looks like this isn't entirely fixed yet. 😞 Specifically, if Chainguard Images are being used as base images to build other images, Scout starts producing false positives again. Here's an example: First, Scan the latest (as of today) Python dev image: $ docker scout cves cgr.dev/chainguard/python@sha256:b179fd2b12dadbc3fceb0fda5133020269da349083eef7d1a6378a338fa4ee4b
✓ SBOM obtained from attestation, 150 packages found
✓ No vulnerable package detected
... No CVEs, which is correct. Then, use this image as a base image to build a new image. In this case, we won't even modify the filesystem or image configuration at all. Dockerfile: FROM cgr.dev/chainguard/python@sha256:b179fd2b12dadbc3fceb0fda5133020269da349083eef7d1a6378a338fa4ee4b
# That's it! Build the image, and then scan it: $ docker build -t test.local/python .
...
$ docker scout cves test.local/python
✓ Image stored for indexing
✓ Indexed 83 packages
✓ Provenance obtained from attestation
✗ Detected 1 vulnerable package with 1 vulnerability
## Overview
│ Analyzed Image
────────────────────┼──────────────────────────────
Target │ test.local/python:latest
digest │ a00018200a26
platform │ linux/arm64
vulnerabilities │ 0C 1H 0M 0L
size │ 181 MB
packages │ 83
## Packages and Vulnerabilities
0C 1H 0M 0L pip 24.1.1
pkg:pypi/[email protected]
✗ HIGH CVE-2018-20225 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2018-20225
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.8
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Here, Docker Scout should be applying false positive data from Chainguard's security feed, but since it's not, it's still CVE-2018-20225 in pip — notably the exact same software bits as are in the 0-CVE Chainguard Image. |
As the owner of its own distro, Chainguard maintains advisory data that captures the results of investigations into potential vulnerabilities. This includes cases where Chainguard determines a vulnerability to be a false positive.
Chainguard publishes guidance for vulnerability scanner integration here. Scanners are expected to honor Chainguard's advisory data, including these "false positive" designations, so that the vulnerability report output from supported scanners is as accurate as possible.
Even though the Docker docs show that both the Wolfi (open source) and Chainguard (commercial) advisory feeds are used by Docker Scout, it appears that Docker Scout does not correctly implement support for our false positive data in all cases. According to this output, when Docker Scout finds matches to language ecosystem (e.g. NPM) packages, Docker Scout doesn't correctly suppress the result when these matches are noted in Chainguard's secdb as false positives.
This means Docker Scout fails to meet an expectation defined in Chainguard's Vulnerability Scanner Support docs, specifically on this page, item 4a.
Please let us know when integration with the Wolfi and Chainguard secdb data is planned.
The text was updated successfully, but these errors were encountered: