Closed santosomar closed 8 months ago
knqyf263
commented
2 years ago If I understand correctly, CSAF is similar to OVAL and CVRF and they are input for vulnerability detection. Is there any benefit to output the result in CSAF format? For example, Trivy consumes OVAL and CVRF, but it doesn't generate the result in those formats.
santosomar
commented
2 years ago Hi @knqyf263 ,
Thank you for looking into this and your reply! Yes indeed. CSAF is the replacement or successor of CVRF. In CSAF 2.0 we introduced the ability to map vulnerabilities with an SBOM. This is done by using a VEX profile.
This profile is used to provide information of the "Vulnerability Exploitability eXchange". The main purpose of the VEX format is to state that and why a certain product is, or is not, affected by a vulnerability.
This enhancement request is to have the ability to have Trivy provide a report of the vulnerabilities found after the scan in CSAF format.
Thank you again! Omar
knqyf263
commented
2 years ago @santosomar Thanks for your explanation! Sounds interesting. We've added the task to our backlog and we welcome any contributions!!
tschmidtb51
commented
2 years ago 
mpermar
commented
1 year ago @knqyf263 are there any plans to tackle that backlog item?
I have been checking this issue as our team is pretty interested in CSAF support and the main challenge I see seems to be the lack of golang libraries for CSAF (standard that is not particularly simple). I still could hack some silly (and invalid as per the above links from @tschmidtb51) filtering by just reusing OpenVEX's CSAF library. This is totally a quick hack and the wrong approach as OpenVEX is a totally different and unrelated VEX implementation and their CSAF support is mainly there to support filtering from vexctl. I would think either CSAF should provide some basic golang parsing tooling or this hypothetical little parsing library could exist in trivy codebase itself. So, reiterating, this is just a test.
bash-3.2$ trivy fs --format cyclonedx --output trivy.sbom.cdx ./go.mod
bash-3.2$ ./trivy sbom trivy.sbom.cdx
go.mod (gomod)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM │ 1.44.245 │ │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8911 │
│ ├───────────────┼──────────┤ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2020-8912 │ LOW │ │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8912 │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
bash-3.2$ tail -n 51 trivy.csaf
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.2.3",
"product": {
"name": "Aqua Security 1.2.3",
"product_id": "urn:cdx:9e28c9d8-786d-4cad-a98d-9828af22eed1/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.245"
}
}
],
"category": "product_name",
"name": "Foo"
}
],
"category": "vendor",
"name": "Aqua Security"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8911",
"notes": [
{
"category": "description",
"text": "Important vulnerability being triaged.",
"title": "CVE description"
}
],
"product_status": {
"known_not_affected": [
"urn:cdx:9e28c9d8-786d-4cad-a98d-9828af22eed1/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.245"
]
},
"threats": [
{
"category": "impact",
"details": "Class with vulnerable code was removed before shipping.",
"product_ids": [
"urn:cdx:9e28c9d8-786d-4cad-a98d-9828af22eed1/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.245"
]
}
]
}
]
}
bash-3.2$ ./trivy sbom trivy.sbom.cdx --vex ./trivy.csaf
2023-05-12T12:29:50.270+0200 INFO Vulnerability scanning is enabled
2023-05-12T12:29:50.275+0200 INFO Detected SBOM format: cyclonedx-json
2023-05-12T12:29:50.285+0200 WARN Ignore the OS package as no OS information is found.
2023-05-12T12:29:50.329+0200 INFO Number of language-specific files: 1
2023-05-12T12:29:50.329+0200 INFO Detecting gomod vulnerabilities...
2023-05-12T12:29:50.373+0200 INFO Filtered out the detected vulnerability {"VEX format": "OpenVEX", "vulnerability-id": "CVE-2020-8911", "status": "not_affected", "justification": ""}
go.mod (gomod)
Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW │ 1.44.245 │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8912 │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘@santosomar any golang libraries coming at least for VEX support from CSAF community?
tschmidtb51
commented
1 year ago @knqyf263, @mpermar, @shift: Please have a look at https://github.com/csaf-poc/csaf_distribution/issues/367#issuecomment-1635806702
If you have specific request, what (else) would be needed for your use case, please add comments in csaf-poc/csaf_distribution#367
The Common Security Advisory Framework Version 2.0 is now an approved specification in the industry. Details about the specification can be found at: https://csaf.io and https://docs.oasis-open.org/csaf/csaf/v2.0/cs01/csaf-v2.0-cs01.html
CSAF is a language to exchange Security Advisories formulated in JSON. CSAF v2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. It also supports "Vulnerability Exploitability eXchange" (VEX) profiles to associate security vulnerability advisories with software bill of materials (SBOMs). The SBOMs can be either in SPDX, CycloneDX, or SWID formats.
This issue is to humbly request the support of CSAF as an option for the output/report of the tool.