Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL Provider: Hydra and CSAF as data sources #772

Draft
wants to merge 18 commits into
base: main
Choose a base branch
from
Draft

RHEL Provider: Hydra and CSAF as data sources #772

wants to merge 18 commits into from

Conversation

willmurphyscode
Copy link
Contributor

This PR fixes #323 by introducing a configuration switch for where the RHEL provider gets fix data. In one position, it uses the OVAL XML as it previously did, and in the other, it uses the RedHat's CSAF advisories data from https://security.access.redhat.com/data/csaf/v2/advisories/ to establish fixed in data.

The original goal of this work (attempted in #758) was to drop use of the Hydra API in addition to dropping use of the OVAL XML, but that approach is blocked. In RedHat's CSAF vulnerability data, every package that incurred a version bump due a vulnerability is listed as fixed by the corresponding Advisory. That means that some products are listed as "fixed at version 0:1.1.1" because version "0:1.1.0" was vulnerable, for example, and some are listed as "fixed at version 0:1.1.1" simply because version "0:1.1.0" was in a module that was rebuilt due to an unrelated vulnerability. In other words, a vulnerability scanner cannot assert that version "0:1.1.0" is vulnerable merely because the CSAF data say it was fixed. I have not found a way around this besides querying the old Hydra APIs and using them as guides for which products are vulnerable, and using that to choose the subset of patched packages from the RHSA that are vulnerable. This PR implements this tradeoff.

It's still a draft PR because it lacks some new unit tests and other polish, but it's getting close and I wanted it available for CI runs and feedback.

@willmurphyscode
wip: skeleton of csaf parser
dd33421 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
wip: create seam between hydra and OVAL
19abbb5 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
wip: extract oval RHSA provider
516355d 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
wip: start writing CSAF RHSA provider
65ef422 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
fix version parity for non-module rpms
4baa172 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
mostly working CSAF RHSA provider
2f749fe 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
enable csaf mode
7aeb201 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
wip: csaf RHSA provider wired up
2cda705 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
wip: closer
9812ea7 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
chore: update module regex to account for old version sep
a849c2c 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
wip: fix units and some cleanup
606d26c 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
wip: more cleanup, linting
8f538ab 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
wip: clean static analysis
e18ee99 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode willmurphyscode added the run-pr-quality-gate Triggers running of quality gate on PRs label Feb 1, 2025
@willmurphyscode
Copy link
Contributor Author

willmurphyscode commented Feb 1, 2025
edited
Loading

This is the current qg output, which is honestly pretty good:

   Results used for image docker.io/anchore/test_images@sha256:808f6cf3cf4473eb39ff9bb47ead639d2ed71255b75b9b140162b58c6102bcc9:
    ├── 4c5f895e-6cd7-4479-a3d6-de718cc047a2 : grype[custom-db]@v0.87.0-20-gac07be7 (custom-db)  against docker.io/anchore/test_images@sha256:808f6cf3cf4473eb39ff9bb47ead639d2ed71255b75b9b140162b58c6102bcc9
    └── c84c81ee-cefd-4c19-b77f-49ea444efa5b : grype[reference]@v0.87.0-20-gac07be7 (reference)  against docker.io/anchore/test_images@sha256:808f6cf3cf4473eb39ff9bb47ead639d2ed71255b75b9b140162b58c6102bcc9
Match differences between tooling (with labels):
   TOOL PARTITION                             PACKAGE                                                    VULNERABILITY   LABEL          COMMENTARY
   grype[custom-db]@v0.87.0-20-gac07be7 ONLY  mariadb-common@3:10.3.28-1.module_el8.3.0+757+d382997d     CVE-2021-27928  FalsePositive  (this is a new FP 😱)
   grype[custom-db]@v0.87.0-20-gac07be7 ONLY  mariadb@3:10.3.28-1.module_el8.3.0+757+d382997d            CVE-2021-27928  FalsePositive  (this is a new FP 😱)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1  CVE-2020-35452  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1  CVE-2021-33193  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1  CVE-2021-36160  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1  CVE-2021-44224  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1       CVE-2020-35452  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1       CVE-2021-33193  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1       CVE-2021-36160  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1       CVE-2021-44224  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1             CVE-2020-35452  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1             CVE-2021-33193  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1             CVE-2021-36160  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  [email protected]_el8.6.0+1111+ce6f4ceb.1             CVE-2021-44224  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  maven-lib@1:3.5.4-5.module_el8.6.0+1030+8d97e896           CVE-2020-13956  FalsePositive  (got rid of a former FP 🙌)
   grype[reference]@v0.87.0-20-gac07be7 ONLY  maven@1:3.5.4-5.module_el8.6.0+1030+8d97e896               CVE-2020-13956  FalsePositive  (got rid of a former FP 🙌)


   Results used for image docker.io/anchore/test_images@sha256:524ff8a75f21fd886ec7ed82387766df386671e8b77e898d05786118d5b7880b:
    ├── 7c79d43d-cea2-4457-8222-f0a80281681b : grype[custom-db]@v0.87.0-20-gac07be7 (custom-db)  against docker.io/anchore/test_images@sha256:524ff8a75f21fd886ec7ed82387766df386671e8b77e898d05786118d5b7880b
    └── 8b250a95-eea4-4183-9575-8cecdcb4d280 : grype[reference]@v0.87.0-20-gac07be7 (reference)  against docker.io/anchore/test_images@sha256:524ff8a75f21fd886ec7ed82387766df386671e8b77e898d05786118d5b7880b
Match differences between tooling (with labels):
   TOOL PARTITION                             PACKAGE                                                 VULNERABILITY   LABEL          COMMENTARY
   grype[custom-db]@v0.87.0-20-gac07be7 ONLY  mariadb-common@3:10.3.28-1.module_el8.3.0+757+d382997d  CVE-2021-27928  FalsePositive  (this is a new FP 😱)
   grype[custom-db]@v0.87.0-20-gac07be7 ONLY  mariadb@3:10.3.28-1.module_el8.3.0+757+d382997d         CVE-2021-27928  FalsePositive  (this is a new FP 😱)

The mariadb FPs are tricky - it's a CentOS image, and the version comparison comes down to the build numbers and digests on the end of the version, which are not really comparable between RHEL and RHEL clones. The only reason grype@latest doesn't report this vulnerability is that the modularity is wrong in the prod database for this particular vulnerability, so it's frustrating that the QG is failing because of a missed bug. Fixing the FPs is nice, but we should make sure we're actually fixing them and not like dropping the rows or something.

Because this is a big change I'll also work up a diff in the data to figure out what rows are being changed at all, and how many there are. Some noise is sort of inevitable, but hopefully we'll be able to get it very close.

@willmurphyscode
test: use grype branch for rpm version comps
cfd75f3 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
fix: keep rolling no missing RHSA file
a835699 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
fix: stop module versions sneaking in
a4617d5 
Previously, both the module and package PURLs might match normalized
package name, resulting in an incorrect version being returned. Instead,
keep the remediation product ids in a list, not a set, so that they can
be iterated in a deterministic sequence, and never return a module purl
as though it were a package.

Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
put qg config back
5cce433 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
trace not warn
3d157e7 
Signed-off-by: Will Murphy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
run-pr-quality-gate Triggers running of quality gate on PRs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Switch RedHat vulnerability provider from OVAL to CSAF
1 participant
@willmurphyscode