search

aquasecurity / trivy-db

Apache License 2.0
229 stars 141 forks source link

feat(bitnami): add support for Bitnami vulnerability database #336

Closed juan131 closed 1 year ago

juan131 commented 1 year ago

Summary

This PR adds support for including Bitnami vulnerability database into Trivy database.

Additional Information

As suggested by @knqyf263, Bitnami vulnerability database is fetched using the db-fetch-langs Makefile target like other advisories do.

This database uses OSV format to specify the CVE information for every affected component. Therefore, I extended the pkg/vulnsrc/osv package to expose a series of functions (see pkg/vulnsrc/osv/utils.go) that can be reused on the new pkg/vulnsrc/bitnami package.

CLAassistant commented 1 year ago

CLA assistant check
All committers have signed the CLA.

knqyf263 commented 1 year ago

The DB size looks ok.

Before: 363MB
After: 364MB
juan131 commented 1 year ago

Hi @knqyf263

Doesn't it mean only 5.15.12 is vulnerable and others don't?

Yes, when we set affected.versions instead of affected.ranges in the advisory, it means that the CVE only affects those specific versions. See also:

If it is the case, shouldn't we put VulnerableVersions: []string{"=5.15.12"}?

You're completely right, please check my last commit that adds support for this use case

juan131 commented 1 year ago

We need to consider how Trivy utilizes this data. Would you mind opening a PR in Trivy?

Yes @knqyf263 ! I was expecting to merge this PR first, given that there are references in Trivy code to this library, see https://github.com/aquasecurity/trivy/blob/main/go.mod#L26

knqyf263 commented 1 year ago

Yes @knqyf263 ! I was expecting to merge this PR first, given that there are references in Trivy code to this library, see https://github.com/aquasecurity/trivy/blob/main/go.mod#L26

Trivy DB will be distributed immediately after PR gets merged. So, we usually use the replace directive and see if Trivy works with the updated Trivy DB. https://github.com/aquasecurity/trivy/blob/77367edc83654a9e81d3c1f114a4fb0f86e1c659/go.mod#L407

juan131 commented 1 year ago

@knqyf263 I need you help to understand how to implement the solution for Trivy. I can see that you already have support to detect/inspect the SPDX files included in our containers, see SBOM analyzer:

This is done while inspecting the container images layers, see:

So after that, we have the information about the Bitnami packages included in the image. However, I don't find anywhere what the code is doing with that information. It seems there's no "postAnalyzer" that uses it.

knqyf263 commented 1 year ago

First of all, Trivy consists of two main parts:

The analysis is performed here for container images. https://github.com/aquasecurity/trivy/blob/790c8054ec61cdc24b4dee622241bc0cc81efe0e/pkg/fanal/artifact/image/image.go#L281-L302

The analysis result of each layer is stored in BlobInfo. https://github.com/aquasecurity/trivy/blob/790c8054ec61cdc24b4dee622241bc0cc81efe0e/pkg/fanal/artifact/image/image.go#L318-L336

Then, it is stored in the cache per layer. https://github.com/aquasecurity/trivy/blob/790c8054ec61cdc24b4dee622241bc0cc81efe0e/pkg/fanal/artifact/image/image.go#L228-L234

The scanning starts here and first gets the package information (and others) by merging the layer cache. https://github.com/aquasecurity/trivy/blob/e5bee5cccd5ca3dc4b8abfdc7f91857b54ea46fb/pkg/scanner/local/scan.go#L58-L60

Non-OS packages are scanned here. https://github.com/aquasecurity/trivy/blob/45d5edb0d70bd7e10b9118038c0cadde9daf2638/pkg/scanner/langpkg/scan.go#L57-L102

The type such as npm and pip is used to determine the database bucket and how to compare versions. We probably need to add the bitnami type here. https://github.com/aquasecurity/trivy/blob/6fcd1538d9590870e7430ce263002f161e1c78b4/pkg/fanal/types/const.go#L9-L35

However, the newly added bitnami packages are not returned by the SBOM analyzer. We need to update the analyzer first. https://github.com/aquasecurity/trivy/blob/9ef01133c8205f90a9733cba5e3396a5ecebb9b6/pkg/fanal/analyzer/sbom/sbom.go#L64-L67

For example, if an SPDX file contains elasticsearch built by Bitnami and we want to detect the vulnerabilities with the Bitnami database, we need to return something as below.

Application{
    Type: "bitnami",
    Libraries: Packages{
        {
            Name:    "elasticsearch",
            Version: "8.7.6",
        },
    },
knqyf263 commented 1 year ago

It is a bit complicated. Please feel free to ask me more questions.

juan131 commented 1 year ago

Thanks so much for the detailed explanation! I'll let you know if I have further doubts but I think I have a much better idea of how to implement the solution.

juan131 commented 1 year ago

@knqyf263 I updated the PR to make it compatible with latest changes in main and I created the follow-up PR to add support in Trivy, see https://github.com/aquasecurity/trivy/pull/5062

knqyf263 commented 1 year ago

Thanks! It looks really promising! We might be going to include this enhancement in v0.45.0.

knqyf263 commented 1 year ago

Thanks for your contribution!

juan131 commented 1 year ago

Thank you for your guidance!