Closed amdawson closed 4 weeks ago
Thanks for raising this.
Please let us know when integration with the Wolfi and Chainguard secdb data is planned.
Will do. Currently we do not have a definitive date to address this but will consider it based on customer feedback.
Great, thanks @cdupuis! Ping me if I can help, too. 😃
Hi @cdupuis just a followup on this one, we are hearing about some false positives on scout scans, is this one getting worked? see my OP for links to guidance on scanner support for chainguard, the links give you all the details.
We are now publishing our security advisory feeds in OSV format, if that helps @cdupuis
We are now publishing our security advisory feeds in OSV format, if that helps @cdupuis
Thanks for pointing that out. I clearly missed this and I can't find any reference in https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/foundational_concepts.md#security-data. Is this still the right place?
Regarding the issue here, I fail to reproduce the behaviour described above for the sample image provided. See the following output:
❯ docker scout cves cgr.dev/chainguard/metrics-server
✓ SBOM obtained from attestation, 11 packages found
✓ No vulnerable package detected
## Overview
│ Analyzed Image
────────────────────┼─────────────────────────────────────────────
Target │ cgr.dev/chainguard/metrics-server:latest
digest │ 313936368ee3
platform │ linux/arm64
vulnerabilities │ 0C 0H 0M 0L
size │ 18 MB
packages │ 11
## Packages and Vulnerabilities
No vulnerable packages detected
Could you please provide an example of such a false positive report for us to verify?
Note that since this issue was opened we started using the cosign delivered SBOMs for analysis on these images so the behaviour has changed.
Thanks @cdupuis and @justincormack! With the recent changes, I think we're in a much better state. I'll reach back out if I see anything else come up 🙇
Thank you Chainguard team. I’ll close this here. Please feel free to open a new issue if you end up seeing other issues.
As the owner of its own distro, Chainguard maintains advisory data that captures the results of investigations into potential vulnerabilities. This includes cases where Chainguard determines a vulnerability to be a false positive.
Chainguard publishes guidance for vulnerability scanner integration here. Scanners are expected to honor Chainguard's advisory data, including these "false positive" designations, so that the vulnerability report output from supported scanners is as accurate as possible.
Even though the Docker docs show that both the Wolfi (open source) and Chainguard (commercial) advisory feeds are used by Docker Scout, it appears that Docker Scout does not correctly implement support for our false positive data in all cases. According to this output, when Docker Scout finds matches to language ecosystem (e.g. NPM) packages, Docker Scout doesn't correctly suppress the result when these matches are noted in Chainguard's secdb as false positives.
This means Docker Scout fails to meet an expectation defined in Chainguard's Vulnerability Scanner Support docs, specifically on this page, item 4a.
Please let us know when integration with the Wolfi and Chainguard secdb data is planned.