-
Notifications
You must be signed in to change notification settings - Fork 561
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: grype explain prototype (#1367)
v0 of "grype explain" - a subcommand to have grype explain why grype reported a match. Signed-off-by: Will Murphy <will.murphy@anchore.com>
- Loading branch information
1 parent
13bae4b
commit 1772f25
Showing
11 changed files
with
2,388 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| package legacy | ||
|
|
||
| import ( | ||
| "encoding/json" | ||
| "fmt" | ||
| "os" | ||
|
|
||
| "github.com/spf13/cobra" | ||
|
|
||
| "github.com/anchore/grype/grype/presenter/explain" | ||
| "github.com/anchore/grype/grype/presenter/models" | ||
| "github.com/anchore/grype/internal" | ||
| "github.com/anchore/grype/internal/log" | ||
| ) | ||
|
|
||
| var cveIDs []string | ||
|
|
||
| var explainCmd = &cobra.Command{ | ||
| Use: "explain --id [VULNERABILITY ID]", | ||
| Short: "Ask grype to explain a set of findings", | ||
| RunE: func(cmd *cobra.Command, args []string) error { | ||
| log.Warn("grype explain is a prototype feature and is subject to change") | ||
| isStdinPipeOrRedirect, err := internal.IsStdinPipeOrRedirect() | ||
| if err != nil { | ||
| log.Warnf("unable to determine if there is piped input: %+v", err) | ||
| isStdinPipeOrRedirect = false | ||
| } | ||
| if isStdinPipeOrRedirect { | ||
| // TODO: eventually detect different types of input; for now assume grype json | ||
| var parseResult models.Document | ||
| decoder := json.NewDecoder(os.Stdin) | ||
| err := decoder.Decode(&parseResult) | ||
| if err != nil { | ||
| return fmt.Errorf("unable to parse piped input: %+v", err) | ||
| } | ||
| explainer := explain.NewVulnerabilityExplainer(os.Stdout, &parseResult) | ||
| return explainer.ExplainByID(cveIDs) | ||
| } | ||
| // perform a scan, then explain requested CVEs | ||
| // TODO: implement | ||
| return fmt.Errorf("requires grype json on stdin, please run 'grype -o json ... | grype explain ...'") | ||
| }, | ||
| } | ||
|
|
||
| func init() { | ||
| setExplainFlags(explainCmd) | ||
| } | ||
|
|
||
| func setExplainFlags(cmd *cobra.Command) { | ||
| cmd.Flags().StringArrayVarP(&cveIDs, "id", "", nil, "CVE ID to explain") | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,17 @@ | ||
| package main | ||
|
|
||
| import ( | ||
| "os" | ||
|
|
||
| "github.com/anchore/grype/cmd/grype/cli/legacy" | ||
| "github.com/anchore/grype/internal/log" | ||
| ) | ||
|
|
||
| func main() { | ||
| legacy.Execute() | ||
| cli := legacy.NewCli() | ||
| err := cli.Execute() | ||
| if err != nil { | ||
| log.Error(err) | ||
| os.Exit(1) | ||
| } | ||
| } |
108 changes: 108 additions & 0 deletions
108
grype/presenter/explain/__snapshots__/explain_snapshot_test.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
|
|
||
| [TestExplainSnapshot/keycloak-CVE-2020-12413 - 1] | ||
| CVE-2020-12413 from nvd:cpe (Medium) | ||
| The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites. | ||
| Related vulnerabilities: | ||
| - redhat:distro:redhat:9 CVE-2020-12413 (Low) | ||
| Matched packages: | ||
| - Package: nss, version: 3.79.0-17.el9_1 | ||
| PURL: pkg:rpm/rhel/nss@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1 | ||
| Match explanation(s): | ||
| - redhat:distro:redhat:9:CVE-2020-12413 Direct match (package name, version, and ecosystem) against nss (version 3.79.0-17.el9_1). | ||
| Locations: | ||
| - /var/lib/rpm/rpmdb.sqlite | ||
| - Package: nspr, version: 4.34.0-17.el9_1 | ||
| PURL: pkg:rpm/rhel/nspr@4.34.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1 | ||
| Match explanation(s): | ||
| - redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package. | ||
| Locations: | ||
| - /var/lib/rpm/rpmdb.sqlite | ||
| - Package: nss-softokn, version: 3.79.0-17.el9_1 | ||
| PURL: pkg:rpm/rhel/nss-softokn@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1 | ||
| Match explanation(s): | ||
| - redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package. | ||
| Locations: | ||
| - /var/lib/rpm/rpmdb.sqlite | ||
| - Package: nss-softokn-freebl, version: 3.79.0-17.el9_1 | ||
| PURL: pkg:rpm/rhel/nss-softokn-freebl@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1 | ||
| Match explanation(s): | ||
| - redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package. | ||
| Locations: | ||
| - /var/lib/rpm/rpmdb.sqlite | ||
| - Package: nss-sysinit, version: 3.79.0-17.el9_1 | ||
| PURL: pkg:rpm/rhel/nss-sysinit@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1 | ||
| Match explanation(s): | ||
| - redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package. | ||
| Locations: | ||
| - /var/lib/rpm/rpmdb.sqlite | ||
| - Package: nss-util, version: 3.79.0-17.el9_1 | ||
| PURL: pkg:rpm/rhel/nss-util@3.79.0-17.el9_1?arch=x86_64&upstream=nss-3.79.0-17.el9_1.src.rpm&distro=rhel-9.1 | ||
| Match explanation(s): | ||
| - redhat:distro:redhat:9:CVE-2020-12413 Indirect match; this CVE is reported against nss (version 3.79.0-17.el9_1), the source RPM of this rpm package. | ||
| Locations: | ||
| - /var/lib/rpm/rpmdb.sqlite | ||
| URLs: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2020-12413 | ||
| - https://access.redhat.com/security/cve/CVE-2020-12413 | ||
|
|
||
| --- | ||
|
|
||
| [TestExplainSnapshot/chainguard-ruby-CVE-2023-28755 - 1] | ||
| CVE-2023-28755 from nvd:cpe (High) | ||
| A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. | ||
| Related vulnerabilities: | ||
| - github:language:ruby GHSA-hv5j-3h9f-99c2 (High) | ||
| - wolfi:distro:wolfi:rolling CVE-2023-28755 (High) | ||
| Matched packages: | ||
| - Package: ruby-3.0, version: 3.0.4-r1 | ||
| PURL: pkg:apk/wolfi/ruby-3.0@3.0.4-r1?arch=aarch64&distro=wolfi-20221118 | ||
| Match explanation(s): | ||
| - wolfi:distro:wolfi:rolling:CVE-2023-28755 Direct match (package name, version, and ecosystem) against ruby-3.0 (version 3.0.4-r1). | ||
| - nvd:cpe:CVE-2023-28755 CPE match on `cpe:2.3:a:ruby-lang:uri:0.10.1:*:*:*:*:*:*:*`. | ||
| - wolfi:distro:wolfi:rolling:CVE-2023-28755 Indirect match; this CVE is reported against ruby-3.0 (version 3.0.4-r1), the upstream of this apk package. | ||
| Locations: | ||
| - /usr/lib/ruby/gems/3.0.0/specifications/default/uri-0.10.1.gemspec | ||
| - /lib/apk/db/installed | ||
| URLs: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-28755 | ||
| - https://github.com/advisories/GHSA-hv5j-3h9f-99c2 | ||
| - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28755 | ||
|
|
||
| --- | ||
|
|
||
| [TestExplainSnapshot/test_a_GHSA - 1] | ||
| GHSA-cfh5-3ghh-wfjx from github:language:java (Medium) | ||
| Moderate severity vulnerability that affects org.apache.httpcomponents:httpclient | ||
| Related vulnerabilities: | ||
| - nvd:cpe CVE-2014-3577 (Medium) | ||
| Matched packages: | ||
| - Package: httpclient, version: 4.1.1 | ||
| PURL: pkg:maven/org.apache.httpcomponents/httpclient@4.1.1 | ||
| Match explanation(s): | ||
| - github:language:java:GHSA-cfh5-3ghh-wfjx Direct match (package name, version, and ecosystem) against httpclient (version 4.1.1). | ||
| Locations: | ||
| - /TwilioNotifier.hpi:WEB-INF/lib/sdk-3.0.jar:httpclient | ||
| URLs: | ||
| - https://github.com/advisories/GHSA-cfh5-3ghh-wfjx | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2014-3577 | ||
|
|
||
| --- | ||
|
|
||
| [TestExplainSnapshot/test_a_CVE_alias_of_a_GHSA - 1] | ||
| CVE-2014-3577 from nvd:cpe (Medium) | ||
| org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. | ||
| Related vulnerabilities: | ||
| - github:language:java GHSA-cfh5-3ghh-wfjx (Medium) | ||
| Matched packages: | ||
| - Package: httpclient, version: 4.1.1 | ||
| PURL: pkg:maven/org.apache.httpcomponents/httpclient@4.1.1 | ||
| Match explanation(s): | ||
| - github:language:java:GHSA-cfh5-3ghh-wfjx Direct match (package name, version, and ecosystem) against httpclient (version 4.1.1). | ||
| - nvd:cpe:CVE-2014-3577 CPE match on `cpe:2.3:a:apache:httpclient:4.1.1:*:*:*:*:*:*:*`. | ||
| Locations: | ||
| - /TwilioNotifier.hpi:WEB-INF/lib/sdk-3.0.jar:httpclient | ||
| URLs: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2014-3577 | ||
| - https://github.com/advisories/GHSA-cfh5-3ghh-wfjx | ||
|
|
||
| --- |
Oops, something went wrong.