Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]: Pipeline does not generate checklist when the CVE intel does not return vulnerabilities #2012

Closed
2 tasks done
IlonaShishov opened this issue Oct 29, 2024 · 1 comment
Labels
bug Something isn't working external This issue was filed by someone outside of the Morpheus team Needs Triage Need team to review and classify

Comments

@IlonaShishov
Copy link

Version

02-EA

Which installation method(s) does this occur on?

No response

Describe the bug.

The pipeline returns that it did not find any vulnerable packages or dependencies in the SBOM when the CVEs' vulnerable package component is either one of the following:

  1. The input git repository
  2. The upstream of the input git repository (the input git repository is a fork of this upstream).

In such cases, the CVEs' intelligence usually lacks the details of the vulnerable version (or range) of the package.
These repositories do not tag the releases as semver tags , or in cases where the input repository is itself the CVE's vulnerable package, the SBOM doesn't contain this as a package (because the package is the built artifact of the input repository, or in other words , the application itself that runs in the container). Thus we cannot perform versions comparison, in order to determine whether the package is vulnerable or not.
What we do have in such cases, is a commit or PR that fixes the issue in the CVEs' intelligence references, so it can be checked if the commit/PR was merged or if its content was incorporated into the input git repository ref (in other words - if the fix commit is an ancestor of the input git repository ref/branch/tag in the commit tree, or if the content of the fix commit/PR was cherry-picked/rebased/squashed on top of some ancestor of the input git repository' ref/branch/tag).
Sometimes, inside the CVEs' intelligence, we may find a link to the problematic lines that reside in some file in the repository (with an immutable commitid as the git ref, so the link of problematic line/range of lines will not be changed), these lines are the reason for the vulnerability, so in such cases, a code search, to search for these problematic lines in the input git repo ref, would help to determine if the vulnerable code is present in the code-base or not.

Minimum reproducible example

Example 1 -
CVE: https://access.redhat.com/security/cve/CVE-2024-1725,
input git repository https://github.com/openshift/kubevirt-csi-driver,
image: registry.redhat.io/openshift4/kubevirt-csi-driver-rhel8,
image digest sha tag: sha256:a736e373732e14e9dd2895b30e686bcac7686d28adbde2b66a777ba9b15ba910

Example 2 -
CVE: https://access.redhat.com/security/cve/CVE-2024-5037,
input source git repository https://github.com/openshift/telemeter,
image: registry.redhat.io/openshift4/ose-telemeter,
image digest sha tag: sha256:dba47f7eb4c3c8b309fc522b4aa4d35e142b65a5c198271771ca7c3909d00c44

Relevant log output

Click here to see error details

[Paste the error here, it will be hidden by default]

Full env printout

Click here to see environment details

[Paste the results of print_env.sh here, it will be hidden by default]

Other/Misc.

No response

Code of Conduct

  • I agree to follow Morpheus' Code of Conduct
  • I have searched the open bugs and have found no duplicates for this bug report
@IlonaShishov IlonaShishov added the bug Something isn't working label Oct 29, 2024
@morpheus-bot-test morpheus-bot-test bot added Needs Triage Need team to review and classify external This issue was filed by someone outside of the Morpheus team labels Oct 29, 2024
@morpheus-bot-test
Copy link

Hi @IlonaShishov!

Thanks for submitting this issue - our team has been notified and we'll get back to you as soon as we can!
In the meantime, feel free to add any relevant information to this issue.

@github-project-automation github-project-automation bot moved this from Todo to Done in Morpheus Boards Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working external This issue was filed by someone outside of the Morpheus team Needs Triage Need team to review and classify
Projects
Status: Done
Development

No branches or pull requests

1 participant