[BUG]: Pipeline does not generate checklist when the CVE intel does not return vulnerabilities #2012
Closed
2 tasks done
Labels
bug
Something isn't working
external
This issue was filed by someone outside of the Morpheus team
Needs Triage
Need team to review and classify
Version
02-EA
Which installation method(s) does this occur on?
No response
Describe the bug.
The pipeline returns that it did not find any vulnerable packages or dependencies in the SBOM when the CVEs' vulnerable package component is either one of the following:
In such cases, the CVEs' intelligence usually lacks the details of the vulnerable version (or range) of the package.
These repositories do not tag the releases as semver tags , or in cases where the input repository is itself the CVE's vulnerable package, the SBOM doesn't contain this as a package (because the package is the built artifact of the input repository, or in other words , the application itself that runs in the container). Thus we cannot perform versions comparison, in order to determine whether the package is vulnerable or not.
What we do have in such cases, is a commit or PR that fixes the issue in the CVEs' intelligence references, so it can be checked if the commit/PR was merged or if its content was incorporated into the input git repository ref (in other words - if the fix commit is an ancestor of the input git repository ref/branch/tag in the commit tree, or if the content of the fix commit/PR was cherry-picked/rebased/squashed on top of some ancestor of the input git repository' ref/branch/tag).
Sometimes, inside the CVEs' intelligence, we may find a link to the problematic lines that reside in some file in the repository (with an immutable commitid as the git ref, so the link of problematic line/range of lines will not be changed), these lines are the reason for the vulnerability, so in such cases, a code search, to search for these problematic lines in the input git repo ref, would help to determine if the vulnerable code is present in the code-base or not.
Minimum reproducible example
Example 1 -
CVE: https://access.redhat.com/security/cve/CVE-2024-1725,
input git repository https://github.com/openshift/kubevirt-csi-driver,
image: registry.redhat.io/openshift4/kubevirt-csi-driver-rhel8,
image digest sha tag: sha256:a736e373732e14e9dd2895b30e686bcac7686d28adbde2b66a777ba9b15ba910
Example 2 -
CVE: https://access.redhat.com/security/cve/CVE-2024-5037,
input source git repository https://github.com/openshift/telemeter,
image: registry.redhat.io/openshift4/ose-telemeter,
image digest sha tag: sha256:dba47f7eb4c3c8b309fc522b4aa4d35e142b65a5c198271771ca7c3909d00c44
Relevant log output
Click here to see error details
Full env printout
Click here to see environment details
Other/Misc.
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: