whitelist vulneribilities #13
Comments
|
Can you better explain what you mean? You could save the output to json and do whatever you like with it. |
|
I mean, is there an option to ignore/allow few selected vulnerabilities?
In some container scanners I have used (for Docker ) , there is a flag available which takes a file(yaml/json) with list of vulnerabilities as an argument and allow these vulnerabilities if encountered.
This will be usefull for implementing in a CI/CD pipeline
So I was wondering if there is an option available in stools as well.
Thank you!
Ashwini
|
|
oh yeah that totally makes sense! How about we match the Docker file format for that, so you don't have to remake it. Can you point me to one? |
|
yep that's perfect! I'll probably be adjusting the language so it's not whitelist but maybe allowlist? And I should be able to work on this soon. |
|
okey doke, here is a PR to test! #14 So I did matching for CVEs based on the upper level OS (e.g. ubuntu) and then the CVE name - I didn't use the content of the dict because I wasn't sure how it mapped! Do you want to test it out and let me know if you'd like changes, etc? |
|
Thank you for the quick action on this! i cloned the latest changes and started docker-compose. The clair-scanner is exiting within few minutes. i have copied the logs here for your reference: clair-scanner | {"Event":"could not determine a valid package from criterions","Level":"warning","Location":"oracle.go:352","Time":"2021-11-24 06:41:08.142465","criterions":"[{openssl is ksplice-based} {Oracle Linux arch is x86_64} {Oracle Linux 8 is installed}]"} also, i added the "RUN sed -i -e 's/http:/https:/' /etc/apk/repositories" line to Dockerfile as i was getting network connection aborted error during docker build. Addition of this line resolved the error for me. [root@myvm stools]# docker build -t vanessa/stools-clair . |
|
@ashwinidr23 I just ran the build locally and had no issue with the network (and did not need the extra command) so I'm not able to reproduce your issue. |
|
Hello @vsoch here is the logs: I tested the allow list and I am able to approve selected vulnerabilities. Thank you very much for adding this :) If I may suggest.. Ex: And if there are no unapproved vulnerabilites , 2021/12/27 09:20:37 [WARN] ▶ Image [alpine:latest] contains 4 total vulnerabilities Thanks again! |
|
Awesome that it works! For interaction in CI, have you tried saving a report to programatically parse? E.g., stools/stools/clair/__init__.py Line 60 in 0704228 |
|
i did try using the report feature, but the json file does not have the status of whether the vulnerability is approved or not. for me, it looked easier to parse the output than the report for listing the vulnerabilities. |
|
Gotcha! I have work this week but I’ll make some time this weekend to test adding that extra summary ability at the end. I’m thinking it would make sense to add a flag for it in case the person running the tool doesn’t want it. |
|
sure, Thank you! |
|
@ashwinidr23 I'll need your help to work on this - here is a data structure report that I've output, if you could please show me what you'd expect the output to be for this it would be greatly appreciated. Thanks! |
|
@vsoch,
On a different note, I just noticed that a sandbox image gets built every time we scan for vulnerabilities. we have images which takes hours to build. So it would take same amount of time to scan the container as much as it takes to create one. It would work for sample images. But it would take significant time for large images. Thank you for working on this & Wish you a happy new year! |
|
ah okay - so it looks like you want the print output to include the allowed, and to have them organized by the name. Let me see what I can put together. |
|
okay all set for testing! I'm not sure I have a good image to test - try it out and tell me if it's working. |
|
I tested the changes, I tested with singularity_latest image itself as the other production images takes long time for scan. I assume there is another build happening while scan and it takes long time for scanning. I took all the vulnerabilities from JSON file and added to allowlist and tested again. I expected that there will be no unapproved vulnerabilities now since I added all the vulnerabilities mentioned in json to allowed list. But I found that there were few vulnerabilities which were still unapproved. When I checked for those CVE’s in JSON file , I found them missing. I can however parse the output file now and get my work done. But I wanted to bring it to your notice in case you wanted to fix that. Thank you again for the quick work. |
|
Sorry about that @ashwinidr23 it sounds like a bug! I'm taking a look now - I think I might have a guess for what the issue is. |
|
okay fixed! I tested with your allowlist (thank you!) and there were many printed without notallowed (the allowed). Let me know what other examples of summary / similar you are looking for (a concrete example with the singularity_latest.sif and the allow list we have as the example or your custom one here would work best for me to reproduce). |
|
I got to test It again with same allowliist and same singularity_latest.sif image.
So , to sum it up, the CVE’S listed in output does not match with JSON. The few extra CVE’S in output whether approved or not, do not make it to JSON. Hope this helps Thank you |
|
Please take a shot at fixing the bug that you see - I won’t have time soon! |
|
not an expert in python, but i will give a shot sometime. |
hello,
is it possible to whitelist vulnerabilities in stools ?
The text was updated successfully, but these errors were encountered: