You need to sign in or sign up before continuing.
Extend export format for Container Scanning advisories
Goal
Extend advisory export to also support OS package advisories imported from Trivy DB.
Relevant information
Requirements
- We use this export format for trivy-db data
- A trivy-db vulnerability can be detected in many different OS-packages (i.e. affected package). All the fields of the trivy-db vulnerability remain the same. However,
cvss_v2
,cvss_v3
andseverity
might be different depending the affected package. For that reason this information should be available in the AffectedPackage struct so that they can overwrite the data in the Advisory struct of the export format. This override action takes place in the Rails backend. Explained in #422869 (comment 1532002200) and #422869 (comment 1533449636). - In this first iteration we will support only
FixedVersions
fields from trivy-db. That means that any OS package that doesn't contain this value we consider it affected. A consequence of this is to not have proper data for some OS packages that do not containFixedVersion
.An example of that areRedHat
OS packages that follow the pattern:{"Entries":[{"Affected":[...],"Cves":[{"Severity":1}],"Status":2}]}
(link).Red Hat is not ingested yet so it is out of scope anyways. -
AffectedPackage struct contains an AffectedRange field. If
FixedVersion
is not present then we setAffectedRange
to*
. IfFixedVersion
is present then we setAffectedRange
to<
+FixedVersion
- We choose NVD CVSS vectors as the default vectors in case there are more than one providers available. For example if we have cvss vectors from
nvd
andredhat
. - Advisories are exported in the advisory bucket using
purl types
. For example<advisory_bucket>/<rpm>/<timestamp.ndjson>
. - A
distro
topurl type
map can be found in this comment.
Example
Let's say we have the following trivy-db vulnerability CVE-XXX :
trivy-db vulnerability: CVE-XXX
{
"Title": "bind: assertion failure in buffer.c while building responses to a specifically constructed request",
"Description": "buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.",
"Severity": "HIGH",
"CweIDs": [
"CWE-20"
],
"VendorSeverity": {
"amazon": 3,
"nvd": 3,
"oracle-oval": 3,
"redhat": 4,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 7.8,
"V3Score": 7.5
},
"redhat": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
}
},
"References": [
"http://rhn.redhat.com/errata/RHSA-2016-1944.html",
"http://rhn.redhat.com/errata/RHSA-2016-1945.html",
"http://rhn.redhat.com/errata/RHSA-2016-2099.html",
"http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html",
"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html",
"http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html",
"http://www.securityfocus.com/bid/93188",
"http://www.securitytracker.com/id/1036903",
"https://access.redhat.com/security/cve/CVE-2016-2776",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776",
"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05321107",
"https://kb.isc.org/article/AA-01419",
"https://kb.isc.org/article/AA-01419/0",
"https://kb.isc.org/article/AA-01435",
"https://kb.isc.org/article/AA-01436",
"https://kb.isc.org/article/AA-01438",
"https://linux.oracle.com/errata/ELSA-2016-1945.html",
"https://nvd.nist.gov/vuln/detail/CVE-2016-2776",
"https://security.FreeBSD.org/advisories/FreeBSD-SA-16:28.bind.asc",
"https://security.gentoo.org/glsa/201610-07",
"https://security.netapp.com/advisory/ntap-20160930-0001/",
"https://ubuntu.com/security/notices/USN-3088-1",
"https://www.cve.org/CVERecord?id=CVE-2016-2776",
"https://www.exploit-db.com/exploits/40453/"
],
"PublishedDate": "2016-09-28T10:59:00Z",
"LastModifiedDate": "2019-12-27T16:08:00Z"
}
Notice that CVSS
field has different values for nvd
and redhat
.
Now let's assume that this vulnerability affects two packages:
Oracle Linux > PKG-A > CVE-XXX > {"FixedVersion":"1.2.10.2-15.el6"}
redhat > PKG-B > CVE-XXX > {"Entries":[{"Affected":[1004,1009,1012,1016,1030,1397,1398,1400,1401,1402,1407,1408],"Cves":[{"Severity":1}],"Status":2}]}
If we want to export this advisory it will look like this:
Exported advisory and affected packages
{
"advisory": {
"id": "CVE-XXX",
"source": "trivy-db",
"title": "bind: assertion failure in buffer.c while building responses to a specifically constructed request",
"description": "buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"cvss_v3":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"urls": [
"http://rhn.redhat.com/errata/RHSA-2016-1944.html",
"http://rhn.redhat.com/errata/RHSA-2016-1945.html",
"http://rhn.redhat.com/errata/RHSA-2016-2099.html",
"http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html",
"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html",
"http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html",
"http://www.securityfocus.com/bid/93188",
"http://www.securitytracker.com/id/1036903",
"https://access.redhat.com/security/cve/CVE-2016-2776",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776",
"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05321107",
"https://kb.isc.org/article/AA-01419",
"https://kb.isc.org/article/AA-01419/0",
"https://kb.isc.org/article/AA-01435",
"https://kb.isc.org/article/AA-01436",
"https://kb.isc.org/article/AA-01438",
"https://linux.oracle.com/errata/ELSA-2016-1945.html",
"https://nvd.nist.gov/vuln/detail/CVE-2016-2776",
"https://security.FreeBSD.org/advisories/FreeBSD-SA-16:28.bind.asc",
"https://security.gentoo.org/glsa/201610-07",
"https://security.netapp.com/advisory/ntap-20160930-0001/",
"https://ubuntu.com/security/notices/USN-3088-1",
"https://www.cve.org/CVERecord?id=CVE-2016-2776",
"https://www.exploit-db.com/exploits/40453/"
],
"published_date": "2016-09-28T10:59:00Z",
"identifiers": [
{
"type": "cwe",
"name": "CWE-20",
"value": "20",
"url": "https://...."
},
{
"type": "cve",
"name": "CVE-XXX",
"value": "XXX",
"url": "https://...."
}
]
},
"packages": [
{
"name": "PKG-A",
"purl_type": "rpm",
"distro": "Oracle Linux",
"affected_range": "<1.2.10.2-15.el6",
"fixed_versions": [
"1.2.10.2-15.el6"
],
"severity": "3"
},
{
"name": "PKG-B",
"purl_type": "rpm",
"distro": "Red Hat"
"affected_range": "*",
"fixed_versions": [], // Empty because no fixed_versions found in trivy-db OS package.
"severity": "4" ,
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P", // we override cvss_v2 from advisory part with redhat cvss_v2 vector
"cvss_v3":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" // we override cvss_v3 from advisory part with redhat cvss_v3 vector
}
]
}
Implementation Plan
License Exporter
-
Add a new flag for advisory exporter--advisory-source
. This flag will indicate if the source isglad
ortrivy-db
. -
add a new CLI flag --purl-type
.--registry
and--purl-type
are mutually exclusive. -
NewAdvisoryExport should be renamed to NewGladAdvisoryExport
. A new entry needs to be created forNewTrivyDbAdvisoryExport
. -
Rename all advisory related objects to show that they refer to glad
-
Add a export/trivy_db_advisory_ndjson_export.go
which will implement the export of trivy_db advisories. -
Extend data/advisory.go
so that we can have aNewTrivyDbAdvisoryBundle
function. -
Implement the database related queries for getting package information and vulnerabilities from trivy-db related tables. -
Unit tests -
Update readme file -
Release
Deployment project
-
Bump advisory-exporter version in the CI/CD file -
Update scripts/run_exporter.sh -
Update documentation -
Update all GLAD scheduled jobs -
Add dev and prod Trivy advisory exporter jobs
Edited by Nick Ilieskou