wolfi-dev / advisories Goto Github PK
View Code? Open in Web Editor NEWSecurity advisory data for Wolfi
License: Apache License 2.0
Security advisory data for Wolfi
License: Apache License 2.0
One of the vestigial aspects of our advisory data today that lingers from our beginning with the Alpine "secfixes" approach is that we don't actually enumerate a list or range of distro package versions affected by a given vulnerability, we only record the fixed version of the distro package.
As the advisory data continues to become more full-featured, we should encode the full set of affected package versions, using either ranges or discrete sets.
This will help scanners produce more reliable results, since they won't need to guess about whether an installed version less than the noted fixed version is affected.
Schema suggestions welcome!
Description
There are a lot of CVEs, such as CVE-2023-35116, where we will just want to suppress them across all packages. Presently, we have to do this in every single package we want to NAK the CVE in, but being able to do it in all packages would be helpful.
It might be worth extending the secfixes feed for this.
$ grype cgr.dev/chainguard/kube-fluentd-operator:latest
✔ Vulnerability DB [no update available]
✔ Loaded image cgr.dev/chainguard/kube-fluentd-operator:latest
✔ Parsed image sha256:dd308e6d3e3b063b59c3bd95cb77155b4fe03fd60c7524022ec4e0d0790c2947
✔ Cataloged packages [373 packages]
✔ Scanned for vulnerabilities [11 vulnerabilities]
├── 0 critical, 4 high, 7 medium, 0 low, 0 negligible
└── 4 fixed
[0017] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
grpc 1.52.0 1.53.0 gem GHSA-6628-q6j9-w8vg High
grpc 1.52.0 1.53.0 gem GHSA-9hxf-ppjv-w6rq Medium
grpc 1.52.0 1.53.0 gem GHSA-cfgp-2977-2fmm High
openssl 3.1.0 gem CVE-2023-0464 High
openssl 3.1.0 gem CVE-2023-0465 Medium
openssl 3.1.0 gem CVE-2023-0466 Medium
openssl 3.1.0 gem CVE-2023-1255 Medium
openssl 3.1.0 gem CVE-2023-2650 High
uri 0.12.1 gem CVE-2023-36617 Medium
uri 0.12.1 0.12.2 gem GHSA-hww2-5g85-429m Medium
webrick 1.8.1 gem CVE-2008-1145 Medium
Looking at GHSA-6628-q6j9-w8vg
/ CVE-2023-1428
I hate having to figure the right incantation each time.
Currently, we require a dedicated .yaml file for each application version, with it's own set of advisories. Often these can be more or less copy/paste between app versions.
Take for example grafana. There are (at the time of writing), three supported versions: v8, v9.5 and v10.x (latest). This would require us to create at least three advisory YAMLs (grafana-8.yaml, grafana9.5.yaml, grafana.yaml).
I believe this format is required for vulnerability feeds and scanners to parse, but perhaps there is a better way to generate these, whilst maintaining a single yaml file for each application?
A single .yaml file for each application, i.e we'd only ever have a 'grafana.yaml' with advisory data covering all releases.
Perhaps we could introduce a 'affected_versions' parameter. By default when this is not set, the CVE advisory is only appliciable to the latest releases (or perhaps we default to being applicable to all?). Then we can use 'affected_versions' to pin an advisory to a specific version.
I guess we'd need to create some logic to then generate the individual .yamls for each release in the format the scanners are looking for? Which in itself might be challenging.
I'm sure there may be other options too, but the hope / goal would be to reduce engineering toil by having to make copies of the .yaml each time we need to produce a pinned version of an application, or update advisories in multiple files for multiple releases?
I'm currently investigating CVE-2023-2976 that Grype is reporting on our image cgr.dev/chainguard/gradle:latest
.
I'm looking into this CVE in the cgr.dev/chainguard/jenkins:latest
image :)
Description
I'd suggest to add the aliases to the CVE advisory data when available to avoid situations such as the issue commented here: https://chainguard-dev.slack.com/archives/C05GYUBM07Q/p1698059647569109.
Description
See https://github.com/wolfi-dev/os/pull/21715/files and
https://blog.packagist.com/composer-2-7-7/
Shouldn't that be listed here 🤔
Today, there's nothing preventing a contributor from adding new advisories to the repo for packages that don't exist in Wolfi.
These additions are usually a mistake, such as when:
In other scenarios, it's not a mistake (it's intentional), such as when:
Add functionality to the advisories repo's CI to fail whenever an advisory document's .package.name
isn't found in Wolfi.
This solution doesn't account for the scenarios listed in the "not a mistake" category above. We'll need to figure out how to account for those scenarios.
We should clarify the definition of when a package "exists in the distro". There are two relevant sets: (A) packages currently defined in the distro repo (e.g. in https://github.com/wolfi-dev/os on main
), and (B) found in the APKINDEX for the distro.
Thus, there are several possibilities for how we define "exists in the distro" using these sets, such as:
Similar to the example problem mentioned in #277, version streams can be the reason advisory data becomes unlinked from relevant distro packages in various contexts. #277 showed one example of this, where converting an existing distro package to a version stream results in a name change that breaks the link between distro package and advisory data. (And package names can change, and have changed, for other reasons unrelated to version streams.)
However, version streams are an interesting case — more generally than what's accounted for in #277 — because they typically imply we'll keep making more of them. For example, right now for the go
"virtual package", we have the version streams go-1.19
, go-1.20
, and go-1.21
. In the case of Go, new minor releases come out roughly every February and August, so in a few more months we'll have go-1.22
, and so on into the future.
The separation of a distro package into various version streams is a Wolfi-ism — the upstream project typically doesn't reflect this same splitting of a package's identity. Moreover, it's common for vulnerability data and the analysis we encode in advisory data to relate more to the (virtual) package on the whole, rather than to one or two individual version streams.
In these cases, keeping up with new version streams can quickly become tedious and error-prone. We might have advisory data for existing version streams of a virtual package that applies to all future version streams as well. Today, we need to realize when new version streams are being created and remember to perform the necessary copies to new advisory documents. Doing so creates redundancy, and forgetting to do so creates gaps in the data that quickly affects downstream users and vulnerability scan results.
We could add a new field to the advisory document schema that the .package.name
field is referring to a virtual package, not a literal package name.
For example, in the case of Go, instead of:
schema-version: "2"
package:
name: go-1.19
advisories:
- id: CVE-2020-29509
# ...
and
schema-version: "2"
package:
name: go-1.20
advisories:
- id: CVE-2020-29509
# ...
and
schema-version: "2"
package:
name: go-1.21
advisories:
- id: CVE-2020-29509
# ...
... we could just have:
schema-version: 2.0.1
package:
name: go
virtual: true
advisories:
- id: CVE-2020-29509
# ...
Then, this data, in combination with data taken from distro package definitions, could result in downstream artifacts where our concise advisory data representation gets "inflated" to instead describe all literal packages when needed. For example, in the Go example above, we could still produce a secdb with entries for each of go-1.19
, go-1.20
, and go-1.21
.
An alternative implementation is that we wouldn't need a new field, but instead we'd leverage the APK semantics of package search, where a .package.name
value of go
would link to matching packages that provided go=...
.
Every once in a while, a distro package's name changes. One reason for this is that we create a version stream for that package, such as in this PR when we renamed php
to php-8.2
.
Advisory documents reference packages by their name (in .package.name
). So one problem that can arise is if a distro package Melange file changes the package name without updating the corresponding advisory document, the link is broken. In this case, no distro package can be found for the given advisory document.
A more user-visible problem with this scenario is that vulnerability scanners will no longer know to apply security data derived from our advisory document when analyzing the installed distro package. This can result in false positives and false negatives, depending on the scanner matching strategy being used.
One last consideration: it's also possible that simply updating the package name in both the Melange file and the advisory document causes a problem. Although we've updated the distro package name, the former package name has been used in published APKs and still exists "in the wild". If we update the package name in the advisory data, scans of installations of these former versions of the APK will can become less accurate, since relevant data is not being leveraged by the scanner.
We could add a new field to the advisory document schema where we can list historical/alternative names for the package described in the given advisory document.
For example, in the above PHP example, we might have an advisory document that now looks like this:
schema-version: 2.0.1
package:
name: php-8.2
alternative-names:
- php
advisories:
# ...
"php-8.2"
and "php"
, ensuring that scanners are never in a place to miss out on this data.A new CVE is being reported on our gradle-8:
├── 📄 /usr/share/java/gradle/lib/plugins/ivy-2.3.0.jar
│ 📦 ivy 2.3.0 (java-archive)
│ High CVE-2022-37866
│ Medium CVE-2022-46751 GHSA-2jc4-r94c-rp7h fixed in 2.5.2
│ High CVE-2022-37866 GHSA-wv7w-rj2x-556x fixed in 2.5.1
We need to investigate the status of this CVE!
@stormqueen1990 would you be able to take this on next week? Given you became very familiar with gradle :)
Over the past several months, we've identified a handful of specific expectations we have for the data quality in this repo that we've been checking manually during PR reviews. Several of these expectations could instead be asserted by CI. Doing so would reduce toil in advisory PR reviews and increase confidence in the repository's data quality.
This issue tracks progress on our short-term data validation goals.
Standard validation
fixed
events don't refer to the first published version of a packageDiff validation
Description
CVE-2007-4559 is currently marked as not_affected for all versions of python provided by Wolfi, which made sense at the time since upstream had rejected calls to make changes to the behaviour in the past; however, due to more recent attention around it they have decided to make changes to address this - PEP-706 and python/cpython#73974 (comment).
I had spoken to @luhring about this one previously but never captured anywhere and thought it was worth bringing up for discussion.
I'm not sure what the status
on the Wolfi advisory should be now, but I do think that the impact
should at least be updated to reflect the new stance
I also wondered if there was any interest in patching the existing wolfi python distributions to bring forward the default behaviour that would be introduced in python 3.14 to completely resolve CVE-2007-4559?
We detected CVE-2023-34231 in our telegraf-1.26 package. This CVE is associated with the github.com/snowflakedb/gosnowflake
package.
The Go vulnerability DB group indicated this CVE is likely not a vulnerability: golang/vulndb#1846
The fix isn't fixing anything. We need to investigate further to identity the next steps here.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.