Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker Scout does not honor Chainguard's advisory data/secdb #71

Open
amdawson opened this issue Nov 15, 2023 · 9 comments
Open

Docker Scout does not honor Chainguard's advisory data/secdb #71

amdawson opened this issue Nov 15, 2023 · 9 comments
Assignees

Comments

@amdawson
Copy link

amdawson commented Nov 15, 2023

As the owner of its own distro, Chainguard maintains advisory data that captures the results of investigations into potential vulnerabilities. This includes cases where Chainguard determines a vulnerability to be a false positive.

Chainguard publishes guidance for vulnerability scanner integration here. Scanners are expected to honor Chainguard's advisory data, including these "false positive" designations, so that the vulnerability report output from supported scanners is as accurate as possible.

Even though the Docker docs show that both the Wolfi (open source) and Chainguard (commercial) advisory feeds are used by Docker Scout, it appears that Docker Scout does not correctly implement support for our false positive data in all cases. According to this output, when Docker Scout finds matches to language ecosystem (e.g. NPM) packages, Docker Scout doesn't correctly suppress the result when these matches are noted in Chainguard's secdb as false positives.

This means Docker Scout fails to meet an expectation defined in Chainguard's Vulnerability Scanner Support docs, specifically on this page, item 4a.

Please let us know when integration with the Wolfi and Chainguard secdb data is planned.

@cdupuis
Copy link
Collaborator

cdupuis commented Nov 23, 2023

Thanks for raising this.

Please let us know when integration with the Wolfi and Chainguard secdb data is planned.

Will do. Currently we do not have a definitive date to address this but will consider it based on customer feedback.

@luhring
Copy link

luhring commented Nov 26, 2023

Great, thanks @cdupuis! Ping me if I can help, too. 😃

@amdawson
Copy link
Author

Hi @cdupuis just a followup on this one, we are hearing about some false positives on scout scans, is this one getting worked? see my OP for links to guidance on scanner support for chainguard, the links give you all the details.

@MordodeMaru
Copy link

We are now publishing our security advisory feeds in OSV format, if that helps @cdupuis

@cdupuis cdupuis self-assigned this Jun 5, 2024
@cdupuis
Copy link
Collaborator

cdupuis commented Jun 5, 2024

We are now publishing our security advisory feeds in OSV format, if that helps @cdupuis

Thanks for pointing that out. I clearly missed this and I can't find any reference in https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/foundational_concepts.md#security-data. Is this still the right place?

Regarding the issue here, I fail to reproduce the behaviour described above for the sample image provided. See the following output:

❯ docker scout cves cgr.dev/chainguard/metrics-server
    ✓ SBOM obtained from attestation, 11 packages found
    ✓ No vulnerable package detected


## Overview

                    │               Analyzed Image
────────────────────┼─────────────────────────────────────────────
  Target            │  cgr.dev/chainguard/metrics-server:latest
    digest          │  313936368ee3
    platform        │ linux/arm64
    vulnerabilities │    0C     0H     0M     0L
    size            │ 18 MB
    packages        │ 11


## Packages and Vulnerabilities

  No vulnerable packages detected

Could you please provide an example of such a false positive report for us to verify?

@justincormack
Copy link
Member

Note that since this issue was opened we started using the cosign delivered SBOMs for analysis on these images so the behaviour has changed.

@luhring
Copy link

luhring commented Jun 6, 2024

Thanks @cdupuis and @justincormack! With the recent changes, I think we're in a much better state. I'll reach back out if I see anything else come up 🙇

@cdupuis
Copy link
Collaborator

cdupuis commented Jun 6, 2024

Thank you Chainguard team. I’ll close this here. Please feel free to open a new issue if you end up seeing other issues.

@cdupuis cdupuis closed this as completed Jun 6, 2024
@luhring
Copy link

luhring commented Jul 5, 2024

After looking at more test cases, it looks like this isn't entirely fixed yet. 😞

Specifically, if Chainguard Images are being used as base images to build other images, Scout starts producing false positives again. Here's an example:

First, Scan the latest (as of today) Python dev image:

$ docker scout cves cgr.dev/chainguard/python@sha256:b179fd2b12dadbc3fceb0fda5133020269da349083eef7d1a6378a338fa4ee4b
    ✓ SBOM obtained from attestation, 150 packages found
    ✓ No vulnerable package detected
...

No CVEs, which is correct.

Then, use this image as a base image to build a new image. In this case, we won't even modify the filesystem or image configuration at all.

Dockerfile:

FROM cgr.dev/chainguard/python@sha256:b179fd2b12dadbc3fceb0fda5133020269da349083eef7d1a6378a338fa4ee4b

# That's it!

Build the image, and then scan it:

$ docker build -t test.local/python .
...
$ docker scout cves test.local/python
    ✓ Image stored for indexing
    ✓ Indexed 83 packages
    ✓ Provenance obtained from attestation
    ✗ Detected 1 vulnerable package with 1 vulnerability


## Overview

                    │       Analyzed Image
────────────────────┼──────────────────────────────
  Target            │  test.local/python:latest
    digest          │  a00018200a26
    platform        │ linux/arm64
    vulnerabilities │    0C     1H     0M     0L
    size            │ 181 MB
    packages        │ 83


## Packages and Vulnerabilities

   0C     1H     0M     0L  pip 24.1.1
pkg:pypi/[email protected]

    ✗ HIGH CVE-2018-20225 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/CVE-2018-20225
      Affected range : >=0
      Fixed version  : not fixed
      CVSS Score     : 7.8
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Here, Docker Scout should be applying false positive data from Chainguard's security feed, but since it's not, it's still CVE-2018-20225 in pip — notably the exact same software bits as are in the 0-CVE Chainguard Image.

@cdupuis cdupuis reopened this Jul 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants