anchore · wagoodman · Jun 11, 2024
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -28,12 +28,18 @@
  ssh -MS anchore-api -fN4 -L 8228:localhost:8228 remote-docker
  ssh -MS k8s-api -fN4 -L 32768:localhost:32768 remote-docker
 
-.authenticate_to_docker: &authenticate_to_docker
+.authenticate_to_dockerhub: &authenticate_to_dockerhub
  run:
- name: Authenticate to Docker
+ name: Authenticate to Dockerhub
  command: |
  echo "${DOCKER_PASS}" | docker login -u "${DOCKER_USER}" --password-stdin
 
+.authenticate_to_ghcrio: &authenticate_to_ghcrio
+ run:
+ name: Authenticate to ghcr.io
+ command: |
+ echo "${GHCRIO_PASS}" | docker login -u "${GHCRIO_USER}" --password-stdin
+
 .only_main_branch: &only_main_branch
  branches:
  only:
@@ -79,9 +85,10 @@ jobs:
  - checkout
  - <<: *attach_workspace
  - <<: *load_docker_image
- - <<: *authenticate_to_docker
+ - <<: *authenticate_to_dockerhub
+ - <<: *authenticate_to_ghcrio
  - run:
- name: Push to Dockerhub
+ name: Push to Registry
  command: make push
 
 workflows:
@@ -90,10 +97,12 @@ workflows:
  - test
  - lint
 
- push_to_dockerhub:
+ push_to_registry:
  jobs:
  - push:
- name: push_to_dockerhub
- context: dockerhub-anchoredevwrite
+ name: Push to Registry
+ context: 
+ - dockerhub-anchoredevwrite
+ - ghcrio-anchoredevwrite
  filters: *only_main_branch
 
diff --git a/ContainerMakefile b/ContainerMakefile
@@ -1,5 +1,5 @@
 LAST_COMMIT := $(shell git rev-parse HEAD | cut -c 1-7)
-NAME := $(shell pwd | rev | cut -d '/' -f 1 | rev)-$(LAST_COMMIT)
+NAME := $(shell pwd | rev | cut -d '/' -f 1 | rev)
 TEMPDIR = ./.tmp
 IMAGEDIRS = $(shell ls -d containers/* | cut -d '/' -f 2)
 BOLD := $(shell tput -T linux bold)
@@ -11,6 +11,8 @@ RESET := $(shell tput -T linux sgr0)
 TITLE := $(BOLD)$(PURPLE)
 SUCCESS := $(BOLD)$(GREEN)
 
+IMAGE := $(shell if [ -f image-name ]; then cat image-name; echo ':$(LAST_COMMIT)'; else echo "anchore/test_images:$(NAME)-$(LAST_COMMIT)"; fi)
+
 define title
  @printf '$(TITLE)$(1)$(RESET)\n'
 endef
@@ -23,10 +25,13 @@ all: lint build
 help:
  @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(BOLD)$(CYAN)%-25s$(RESET)%s\n", $$1, $$2}'
 
+.PHONY: image-name
+image-name: ## Display the image name
+ @echo $(IMAGE)
 
 .PHONY: lint
 lint: ## TODO: with hadolint or similar
- $(call title,Building container image anchore/test_image:$(NAME))
+ $(call title,Building container image $(IMAGE))
  docker run --rm -i hadolint/hadolint hadolint --ignore DL3033 - < Dockerfile
 
 .PHONY: build
@@ -36,15 +41,15 @@ build: ## build container with the current Dockerfile
 ifneq ("$(wildcard scripts/setup.sh)", "")
  ./scripts/setup.sh
 endif
- $(call title,Building container image anchore/test_image:$(NAME))
- docker build -t anchore/test_images:$(NAME) .
+ $(call title,Building container image $(IMAGE))
+ docker build -t $(IMAGE) .
 
 .PHONY: push
-push: build ## push built container to Docker Hub
- $(call title,Pushing container image to docker hub anchore/test_image:$(NAME))
- docker push anchore/test_images:$(NAME)
+push: build ## Push built container to Docker Hub
+ $(call title,Pushing container image to docker hub $(IMAGE))
+ docker push $(IMAGE)
 
 .PHONY: clean
 clean: ## Remove images with the assigned tag for test_images
- $(call title,Removing image anchore/test_image:$(NAME))
- docker rmi anchore/test_images:$(NAME)
+ $(call title,Removing image $(IMAGE))
+ docker rmi $(IMAGE)
diff --git a/containers/vex-oci-attach/Dockerfile b/containers/vex-oci-attach/Dockerfile
@@ -0,0 +1,4 @@
+FROM ubuntu:24.04@sha256:c279a739b31ead4ebc3e9ce04937eb8b612799b52c26133eb3b4a056d08c31a6
+
+# this will associate the image with the test-images repository in ghcr.io
+LABEL org.opencontainers.image.source=https://github.com/anchore/test-images
diff --git a/containers/vex-oci-attach/Makefile b/containers/vex-oci-attach/Makefile
@@ -0,0 +1 @@
+../../ContainerMakefile
diff --git a/containers/vex-oci-attach/README.md b/containers/vex-oci-attach/README.md
@@ -0,0 +1,84 @@
+# vex-oci-attach
+
+This image is meant to capture both an image for analysis as well as VEX documents attached to the OCI registry.
+
+The following references were used as a basis:
+
+```
+grype ubuntu:24.04@sha256:c279a739b31ead4ebc3e9ce04937eb8b612799b52c26133eb3b4a056d08c31a6 -o json | jq '.matches[] | [.vulnerability.id, .artifact.purl]'
+```
+
+```json
+[
+ "CVE-2016-2781",
+ "pkg:deb/ubuntu/coreutils@9.4-3ubuntu6?arch=amd64&distro=ubuntu-24.04"
+]
+[
+ "CVE-2022-3219",
+ "pkg:deb/ubuntu/gpgv@2.4.4-2ubuntu17?arch=amd64&upstream=gnupg2&distro=ubuntu-24.04"
+]
+[
+ "CVE-2016-20013",
+ "pkg:deb/ubuntu/libc-bin@2.39-0ubuntu8.2?arch=amd64&upstream=glibc&distro=ubuntu-24.04"
+]
+[
+ "CVE-2016-20013",
+ "pkg:deb/ubuntu/libc6@2.39-0ubuntu8.2?arch=amd64&upstream=glibc&distro=ubuntu-24.04"
+]
+[
+ "CVE-2024-2236",
+ "pkg:deb/ubuntu/libgcrypt20@1.10.3-2build1?arch=amd64&distro=ubuntu-24.04"
+]
+[
+ "CVE-2020-22916",
+ "pkg:deb/ubuntu/liblzma5@5.6.1%2Breally5.4.5-1?arch=amd64&upstream=xz-utils&distro=ubuntu-24.04"
+]
+[
+ "CVE-2024-4741",
+ "pkg:deb/ubuntu/libssl3t64@3.0.13-0ubuntu3.1?arch=amd64&upstream=openssl&distro=ubuntu-24.04"
+]
+[
+ "CVE-2024-4603",
+ "pkg:deb/ubuntu/libssl3t64@3.0.13-0ubuntu3.1?arch=amd64&upstream=openssl&distro=ubuntu-24.04"
+]
+[
+ "CVE-2024-2511",
+ "pkg:deb/ubuntu/libssl3t64@3.0.13-0ubuntu3.1?arch=amd64&upstream=openssl&distro=ubuntu-24.04"
+]
+[
+ "CVE-2023-7008",
+ "pkg:deb/ubuntu/libsystemd0@255.4-1ubuntu8?arch=amd64&upstream=systemd&distro=ubuntu-24.04"
+]
+[
+ "CVE-2023-7008",
+ "pkg:deb/ubuntu/libudev1@255.4-1ubuntu8?arch=amd64&upstream=systemd&distro=ubuntu-24.04"
+]
+```
+
+The attached vex document when applied properly should ignore the following matches:
+
+- CVE-2016-2781:
+ - pkg:deb/ubuntu/coreutils@9.4-3ubuntu6?arch=amd64&distro=ubuntu-24.04
+
+- CVE-2022-3219
+ - pkg:deb/ubuntu/gpgv@2.4.4-2ubuntu17?arch=amd64&distro=ubuntu-24.04
+
+- CVE-2016-20013
+ - pkg:deb/ubuntu/libc-bin@2.39-0ubuntu8.2?arch=amd64&distro=ubuntu-24.04
+ - pkg:deb/ubuntu/libc6@2.39-0ubuntu8.2?arch=amd64&distro=ubuntu-24.04
+
+- CVE-2023-7008
+ - pkg:deb/ubuntu/libsystemd0@255.4-1ubuntu8?arch=amd64&distro=ubuntu-24.04
+ - pkg:deb/ubuntu/libudev1@255.4-1ubuntu8?arch=amd64&distro=ubuntu-24.04
+
+The vex document (`vex.json`) itself has been attached to this OCI registry via the following command:
+
+```bash
+# in containers/vex-oci-attach
+cosign attest --predicate ./vex.json --type openvex ghcr.io/anchore/test-images/vex-oci-attach@sha256:8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce
+```
+
+The OCI image is hosted on [ghcr.io](https://github.com/anchore/test-images/pkgs/container/test-images%2Fvex-oci-attach) with the attachment (as of this writing) found at tag [sha256-8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce.att](https://github.com/anchore/test-images/pkgs/container/test-images%2Fvex-oci-attach/228700186?tag=sha256-8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce.att)
+
+
+This can be used with `grype --vex-autodiscover`.
diff --git a/containers/vex-oci-attach/image-name b/containers/vex-oci-attach/image-name
@@ -0,0 +1 @@
+ghcr.io/anchore/test-images/vex-oci-attach
diff --git a/containers/vex-oci-attach/vex.json b/containers/vex-oci-attach/vex.json
@@ -0,0 +1,83 @@
+{
+ "@context": "https://openvex.dev/ns/v0.2.0",
+ "@id": "https://openvex.dev/docs/public/vex-5052083e68a4b14c89035ebcedd6d0da6f131d533079ad3e9020b8cd357ccf49",
+ "author": "Alex Goodman <alex.goodman@anchore.com>",
+ "timestamp": "2024-06-17T13:17:48.760049345-05:00",
+ "version": 1,
+ "statements": [
+ {
+ "vulnerability": {
+ "name": "CVE-2016-2781"
+ },
+ "products": [
+ {
+ "@id": "pkg:oci/vex-oci-attach@sha256%3A8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce?repository_url=ghcr.io/anchore/test-images",
+ "subcomponents": [
+ {
+ "@id": "pkg:deb/ubuntu/coreutils@9.4-3ubuntu6?arch=amd64"
+ }
+ ]
+ }
+ ],
+ "status": "fixed"
+ },
+ {
+ "vulnerability": {
+ "name": "CVE-2022-3219"
+ },
+ "products": [
+ {
+ "@id": "pkg:oci/vex-oci-attach@sha256%3A8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce?repository_url=ghcr.io/anchore/test-images",
+ "subcomponents": [
+ {
+ "@id": "pkg:deb/ubuntu/gpgv@2.4.4-2ubuntu17?arch=amd64"
+ }
+ ]
+ }
+ ],
+ "status": "fixed"
+ },
+ {
+ "vulnerability": {
+ "name": "CVE-2016-20013"
+ },
+ "products": [
+ {
+ "@id": "pkg:oci/vex-oci-attach@sha256%3A8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce?repository_url=ghcr.io/anchore/test-images",
+ "subcomponents": [
+ {
+ "@id": "pkg:deb/ubuntu/libc-bin@2.39-0ubuntu8.2?arch=amd64"
+ },
+ {
+ "@id": "pkg:deb/ubuntu/libc6@2.39-0ubuntu8.2?arch=amd64"
+ }
+ ]
+ }
+ ],
+ "status": "not_affected",
+ "justification": "vulnerable_code_not_present",
+ "impact_statement": "affected functions were removed before packaging"
+ },
+ {
+ "vulnerability": {
+ "name": "CVE-2023-7008"
+ },
+ "products": [
+ {
+ "@id": "pkg:oci/vex-oci-attach@sha256%3A8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce?repository_url=ghcr.io/anchore/test-images",
+ "subcomponents": [
+ {
+ "@id": "pkg:deb/ubuntu/libsystemd0@255.4-1ubuntu8?arch=amd64&distro=ubuntu-24.04"
+ },
+ {
+ "@id": "pkg:deb/ubuntu/libudev1@255.4-1ubuntu8?arch=amd64&distro=ubuntu-24.04"
+ }
+ ]
+ }
+ ],
+ "status": "not_affected",
+ "justification": "vulnerable_code_not_present",
+ "impact_statement": "affected functions were removed before packaging"
+ }
+ ]
+}