Docker Scout does not honor Chainguard's advisory data/secdb

[amdawson]

As the owner of its own distro, Chainguard maintains advisory data that captures the results of investigations into potential vulnerabilities. This includes cases where Chainguard determines a vulnerability to be a false positive.

Chainguard publishes guidance for vulnerability scanner integration here. Scanners are expected to honor Chainguard's advisory data, including these "false positive" designations, so that the vulnerability report output from supported scanners is as accurate as possible.

Even though the Docker docs show that both the Wolfi (open source) and Chainguard (commercial) advisory feeds are used by Docker Scout, it appears that Docker Scout does not correctly implement support for our false positive data in all cases. According to this output, when Docker Scout finds matches to language ecosystem (e.g. NPM) packages, Docker Scout doesn't correctly suppress the result when these matches are noted in Chainguard's secdb as false positives.

This means Docker Scout fails to meet an expectation defined in Chainguard's Vulnerability Scanner Support docs, specifically on this page, item 4a.

Please let us know when integration with the Wolfi and Chainguard secdb data is planned.

[cdupuis]

Thanks for raising this.

Please let us know when integration with the Wolfi and Chainguard secdb data is planned.

Will do. Currently we do not have a definitive date to address this but will consider it based on customer feedback.

[luhring]

Great, thanks @cdupuis! Ping me if I can help, too. 😃

[amdawson]

Hi @cdupuis just a followup on this one, we are hearing about some false positives on scout scans, is this one getting worked? see my OP for links to guidance on scanner support for chainguard, the links give you all the details.

[MordodeMaru]

We are now publishing our security advisory feeds in OSV format, if that helps @cdupuis

[cdupuis]

We are now publishing our security advisory feeds in OSV format, if that helps @cdupuis

Thanks for pointing that out. I clearly missed this and I can't find any reference in https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/foundational_concepts.md#security-data. Is this still the right place?

Regarding the issue here, I fail to reproduce the behaviour described above for the sample image provided. See the following output:

❯ docker scout cves cgr.dev/chainguard/metrics-server
    ✓ SBOM obtained from attestation, 11 packages found
    ✓ No vulnerable package detected

## Overview

                    │               Analyzed Image
────────────────────┼─────────────────────────────────────────────
  Target            │  cgr.dev/chainguard/metrics-server:latest
    digest          │  313936368ee3
    platform        │ linux/arm64
    vulnerabilities │    0C     0H     0M     0L
    size            │ 18 MB
    packages        │ 11

## Packages and Vulnerabilities

  No vulnerable packages detected

Could you please provide an example of such a false positive report for us to verify?

[justincormack]

Note that since this issue was opened we started using the cosign delivered SBOMs for analysis on these images so the behaviour has changed.

[luhring]

Thanks @cdupuis and @justincormack! With the recent changes, I think we're in a much better state. I'll reach back out if I see anything else come up 🙇

[cdupuis]

Thank you Chainguard team. I’ll close this here. Please feel free to open a new issue if you end up seeing other issues.

[luhring]

After looking at more test cases, it looks like this isn't entirely fixed yet. 😞

Specifically, if Chainguard Images are being used as base images to build other images, Scout starts producing false positives again. Here's an example:

First, Scan the latest (as of today) Python dev image:

$ docker scout cves cgr.dev/chainguard/python@sha256:b179fd2b12dadbc3fceb0fda5133020269da349083eef7d1a6378a338fa4ee4b
    ✓ SBOM obtained from attestation, 150 packages found
    ✓ No vulnerable package detected
...

No CVEs, which is correct.

Then, use this image as a base image to build a new image. In this case, we won't even modify the filesystem or image configuration at all.

Dockerfile:

FROM cgr.dev/chainguard/python@sha256:b179fd2b12dadbc3fceb0fda5133020269da349083eef7d1a6378a338fa4ee4b

# That's it!

Build the image, and then scan it:

$ docker build -t test.local/python .
...
$ docker scout cves test.local/python
    ✓ Image stored for indexing
    ✓ Indexed 83 packages
    ✓ Provenance obtained from attestation
    ✗ Detected 1 vulnerable package with 1 vulnerability

## Overview

                    │       Analyzed Image
────────────────────┼──────────────────────────────
  Target            │  test.local/python:latest
    digest          │  a00018200a26
    platform        │ linux/arm64
    vulnerabilities │    0C     1H     0M     0L
    size            │ 181 MB
    packages        │ 83

## Packages and Vulnerabilities

   0C     1H     0M     0L  pip 24.1.1
pkg:pypi/pip@24.1.1

    ✗ HIGH CVE-2018-20225 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/CVE-2018-20225
      Affected range : >=0
      Fixed version  : not fixed
      CVSS Score     : 7.8
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Here, Docker Scout should be applying false positive data from Chainguard's security feed, but since it's not, it's still CVE-2018-20225 in pip — notably the exact same software bits as are in the 0-CVE Chainguard Image.