Skip to content

feat(vex): CSAF support #1826

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Aug 15, 2025
Merged

feat(vex): CSAF support #1826

merged 18 commits into from
Aug 15, 2025

Conversation

juan131
Copy link
Contributor

@juan131 juan131 commented Apr 25, 2024
edited
Loading

Following #1397, this PR extends VEX support for ignoring/adding matches based on Vulnerability Exploitability Exchange data so it also accepts CSAF format.

The PR also refactors the grype/vex package since now there's more than one supported VEX format (CSAF & OpenVEX) and it requires the vex processor to be able to distinguish between VEX formats and apply a different implementation.

Credits to @joancafom as the designer of this implementation.

Use case

Given a CSAF VEX document such as the one below:

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "Example Company VEX document. Unofficial content for demonstration purposes only.",
        "title": "Author comment"
      }
    ],
    "publisher": {
      "category": "vendor",
      "name": "Example Company ProductCERT",
      "namespace": "https://psirt.example.com"
    },
    "title": "AquaSecurity example VEX document",
    "tracking": {
      "current_release_date": "2022-03-03T11:00:00.000Z",
      "generator": {
        "date": "2022-03-03T11:00:00.000Z",
        "engine": {
          "name": "Secvisogram",
          "version": "1.11.0"
        }
      },
      "id": "2022-EVD-UC-01-A-001",
      "initial_release_date": "2022-03-03T11:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-03-03T11:00:00.000Z",
          "number": "1",
          "summary": "Initial version."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.6.0",
                "product": {
                  "name": "Spring Boot 2.6.0",
                  "product_id": "SPB-00260",
                  "product_identification_helper": {
                    "purl": "pkg:apk/alpine/libcrypto3@3.0.8-r3?arch=aarch64&distro=alpine-3.17.3&upstream=openssl"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Spring Boot"
          }
        ],
        "category": "vendor",
        "name": "Spring"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-1255",
      "notes": [
        {
          "category": "description",
          "text": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "SPB-00260"
        ]
      },
      "threats": [
        {
          "category": "impact",
          "details": "Class with vulnerable code was removed before shipping.",
          "product_ids": [
            "SPB-00260"
          ]
        }
      ]
    }
  ]
}

You can use it so Grype suppresses the vulnerability which status is known_not_affected given the justification Class with vulnerable code was removed before shipping:

$ go run ./cmd/grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --vex csaf-demo.json --show-suppressed
 ✔ Loaded image                                                                                                                                              alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
 ✔ Parsed image                                                                                                                                                     sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                                                                                                                                      70d8c7273858fd8527b5ed258b89f719593c2ba469ca14f9c1e5a1a5e6c961f5
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File metadata                   [78 locations]
   ├── ✔ Executables                     [17 executables]
   └── ✔ File digests                    [78 files]
 ✔ Scanned for vulnerabilities     [56 vulnerability matches]
   ├── by severity: 5 critical, 8 high, 38 medium, 6 low, 0 negligible
   └── by status:   46 fixed, 11 not-fixed, 1 ignored
NAME           INSTALLED   FIXED IN    TYPE  VULNERABILITY   SEVERITY  EPSS           RISK
libcrypto3     3.0.8-r3    3.0.9-r0    apk   CVE-2023-2650   Medium    92.0% (99th)   52.9
libssl3        3.0.8-r3    3.0.9-r0    apk   CVE-2023-2650   Medium    92.0% (99th)   52.9
(...)
ssl_client     1.35.0-r29              apk   CVE-2024-58251  Low       < 0.1% (2nd)   < 0.1
libcrypto3     3.0.8-r3    3.0.8-r4    apk   CVE-2023-1255   Medium    < 0.1% (14th)  < 0.1  (suppressed by VEX)

@juan131
feat(vex): CSAF support
ad30b70 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
Copy link
Contributor Author

juan131 commented Apr 25, 2024
edited
Loading

Still a drat since it's missing unit & integration tests

juan131 added 3 commits April 25, 2024 13:43
@juan131
feat: add unit tests
e0e59f8 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
feat: add integration tests
2754e38 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
Merge branch 'main' into feat/vex-csaf
7cd816a
@juan131 juan131 marked this pull request as ready for review April 29, 2024 08:55
@juan131
Copy link
Contributor Author

juan131 commented Apr 29, 2024

Unit & integration tests added

@juan131
Copy link
Contributor Author

juan131 commented Apr 29, 2024

cc @wagoodman

@juan131 juan131 mentioned this pull request May 7, 2024
Closed
@wagoodman wagoodman self-assigned this May 9, 2024
@carrodher
Copy link

Hi @wagoodman, is there anything we can help with at this time?

This was referenced Sep 18, 2024
Merged
Merged
@willmurphyscode willmurphyscode added the enhancement New feature or request label Dec 10, 2024
@willmurphyscode
Copy link
Contributor

Hi @carrodher thanks for the ping! I'm sorry this sat for a while.

I have some time in my calendar in the next few weeks to review this and get it in. Is this still something you all are interested in working on?

If so, I think the main things to do first are get it up to date with main, and address the fact that the CSAF POC repo has moved to https://github.com/gocsaf/csaf and been renamed, so there's a bit of work needed to address the rename.

Let me know how you all would like to proceed. Thanks!

@carrodher
Copy link

Hi @willmurphyscode, yes, definitely.
In fact, at this moment there are other PRs opened by @juan131 with some ongoing development, i.e. anchore/syft#3341.

Juan is now on PTO, but he will resume those contributions once he's back in a few days.

@wagoodman wagoodman removed their assignment Jan 16, 2025
@willmurphyscode willmurphyscode mentioned this pull request Apr 25, 2025
Merged
willmurphyscode and others added 8 commits July 17, 2025 14:21
@willmurphyscode
chore: update bubbly to fixed version
e7341c2 
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@juan131
ci(integration): use a valid CVE
fcb462a 
Signed-off-by: juan131 <juan.ariza@broadcom.com>
@juan131
chore(bouncer): add missing packages to ignore
9d878ea 
Signed-off-by: juan131 <juan.ariza@broadcom.com>
@juan131
Merge branch 'main' into feat/vex-csaf
c06d03d
@juan131
bugfix: address linter suggestions
f92f30f 
Signed-off-by: juan131 <juan.ariza@broadcom.com>
@juan131
Merge branch 'main' into feat/vex-csaf
80257d5
@willmurphyscode
chore: switch to standard lib time parsing
7a04dd2 
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode
chore: improve error message
d418058 
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode willmurphyscode moved this from Stalled to In Review in OSS Aug 15, 2025
@willmurphyscode willmurphyscode merged commit 42c333e into anchore:main Aug 15, 2025
12 checks passed
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Aug 15, 2025
@juan131 juan131 deleted the feat/vex-csaf branch August 18, 2025 06:02
@BrewTestBot BrewTestBot mentioned this pull request Aug 27, 2025
Merged
@joonas joonas mentioned this pull request Sep 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willmurphyscode willmurphyscode willmurphyscode approved these changes

Assignees

@willmurphyscode willmurphyscode

Labels
breaking-change enhancement New feature or request
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@juan131 @carrodher @willmurphyscode @wagoodman