feat(vex): Add support for CSAF format

[juan131]

Description

This PR adds support for filtering out detected vulnerabilities using the existing --vex experimental flag and VEX data provided using CSAF format (currently only OpenVEX & CycloneDX are supported).

Given the following SBOM running the scanner will report the following vulnerabilities:

$ trivy sbom trivy.sbom.cdx
2023-11-08T11:26:24.445+0100	INFO	Vulnerability scanning is enabled
2023-11-08T11:26:24.448+0100	INFO	Detected SBOM format: cyclonedx-json
2023-11-08T11:26:24.455+0100	WARN	Ignore the OS package as no OS information is found.
2023-11-08T11:26:24.467+0100	INFO	Number of language-specific files: 1
2023-11-08T11:26:24.467+0100	INFO	Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌───────────────────────────────────────┬─────────────────────┬──────────┬────────┬─────────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │    Vulnerability    │ Severity │ Status │  Installed Version  │     Fixed Version      │                            Title                             │
├───────────────────────────────────────┼─────────────────────┼──────────┼────────┼─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl           │ CVE-2023-1732       │ MEDIUM   │ fixed  │ 1.1.0               │ 1.3.3                  │ Improper random reading in CIRCL                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-1732                    │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cyphar/filepath-securejoin │ GHSA-6xv5-86q9-7xr8 │          │        │ 0.2.3               │ 0.2.4                  │ SecureJoin: on windows, paths outside of the rootfs could be │
│                                       │                     │          │        │                     │                        │ inadvertently produced...                                    │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-6xv5-86q9-7xr8            │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker              │ GHSA-jq35-85cj-fj4p │          │        │ 23.0.5+incompatible │ 24.0.7                 │ /sys/devices/virtual/powercap accessible by default to       │
│                                       │                     │          │        │                     │                        │ containers                                                   │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-jq35-85cj-fj4p            │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/sigstore/rekor             │ CVE-2023-33199      │          │        │ 1.1.1               │ 1.2.0                  │ malformed proposed intoto entries can cause a panic          │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-33199                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                      │ CVE-2023-39325      │ HIGH     │        │ 0.9.0               │ 0.17.0                 │ rapid stream resets can cause excessive work                 │
│                                       │                     │          │        │                     │                        │ (CVE-2023-44487)                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                                       ├─────────────────────┼──────────┤        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-3978       │ MEDIUM   │        │                     │ 0.13.0                 │ Cross site scripting                                         │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                                       ├─────────────────────┤          │        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │          │        │                     │ 0.17.0                 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                       │                     │          │        │                     │                        │ attack (Rapid...                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                │ GHSA-m425-mq94-257g │ HIGH     │        │ 1.54.0              │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                                       ├─────────────────────┼──────────┤        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │ MEDIUM   │        │                     │ 1.58.3, 1.57.1, 1.56.3 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                       │                     │          │        │                     │                        │ attack (Rapid...                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└───────────────────────────────────────┴─────────────────────┴──────────┴────────┴─────────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

Now, if we create a CSAF VEX assessment for CVE-2023-1732 for example, and we run the command again:

$ ./trivy sbom trivy.sbom.cdx --vex trivy.vex.csaf
2023-11-08T11:27:53.281+0100	INFO	Vulnerability scanning is enabled
2023-11-08T11:27:53.283+0100	INFO	Detected SBOM format: cyclonedx-json
2023-11-08T11:27:53.289+0100	WARN	Ignore the OS package as no OS information is found.
2023-11-08T11:27:53.300+0100	INFO	Number of language-specific files: 1
2023-11-08T11:27:53.300+0100	INFO	Detecting gomod vulnerabilities...
2023-11-08T11:27:53.313+0100	INFO	Filtered out the detected vulnerability	{"VEX format": "CSAF", "vulnerability-id": "CVE-2023-1732", "status": "not_affected"}

go.mod (gomod)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

┌───────────────────────────────────────┬─────────────────────┬──────────┬────────┬─────────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │    Vulnerability    │ Severity │ Status │  Installed Version  │     Fixed Version      │                            Title                             │
├───────────────────────────────────────┼─────────────────────┼──────────┼────────┼─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cyphar/filepath-securejoin │ GHSA-6xv5-86q9-7xr8 │ MEDIUM   │ fixed  │ 0.2.3               │ 0.2.4                  │ SecureJoin: on windows, paths outside of the rootfs could be │
│                                       │                     │          │        │                     │                        │ inadvertently produced...                                    │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-6xv5-86q9-7xr8            │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker              │ GHSA-jq35-85cj-fj4p │          │        │ 23.0.5+incompatible │ 24.0.7                 │ /sys/devices/virtual/powercap accessible by default to       │
│                                       │                     │          │        │                     │                        │ containers                                                   │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-jq35-85cj-fj4p            │
├───────────────────────────────────────┼─────────────────────┤          │        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/sigstore/rekor             │ CVE-2023-33199      │          │        │ 1.1.1               │ 1.2.0                  │ malformed proposed intoto entries can cause a panic          │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-33199                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                      │ CVE-2023-39325      │ HIGH     │        │ 0.9.0               │ 0.17.0                 │ rapid stream resets can cause excessive work                 │
│                                       │                     │          │        │                     │                        │ (CVE-2023-44487)                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                                       ├─────────────────────┼──────────┤        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-3978       │ MEDIUM   │        │                     │ 0.13.0                 │ Cross site scripting                                         │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                                       ├─────────────────────┤          │        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │          │        │                     │ 0.17.0                 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                       │                     │          │        │                     │                        │ attack (Rapid...                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├─────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                │ GHSA-m425-mq94-257g │ HIGH     │        │ 1.54.0              │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                                       │                     │          │        │                     │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                                       ├─────────────────────┼──────────┤        │                     ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │ MEDIUM   │        │                     │ 1.58.3, 1.57.1, 1.56.3 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                       │                     │          │        │                     │                        │ attack (Rapid...                                             │
│                                       │                     │          │        │                     │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└───────────────────────────────────────┴─────────────────────┴──────────┴────────┴─────────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

Related issues

• Close Enhancement request to support the Common Security Advisory Framework (CSAF) format.  #1475

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

Thanks for your contribution!

[knqyf263]

I have been on paid leave irregularly for various reasons most recently, but would like to review it this week. Thanks!

[juan131]

Friendly reminder @knqyf263

[juan131]

@DmitriyLewen @knqyf263 I'd appreciate your review

[DmitriyLewen]

Hello @juan131
Thank you for your work and sorry for the wait.
LGTM.
Left 1 comment.

Can you also add information about CSAF in docs?
Pay attention to 1 point:
For default scanning (I mean non-sbom mode), vuln.PkgRef is usually empty.
We need to write that CSAF only works for sbom mode.
After merge #5439 we will update docs.

[DmitriyLewen]

What if use https://github.com/openvex/go-vex/blob/main/pkg/csaf/csaf.go

[juan131]

I'd rather use the one maintained by OASIS CSAF TC, see https://oasis-open.github.io/csaf-documentation/tools.html

[juan131]

Can you also add information about CSAF in docs?

Done at b7f1e77

[knqyf263]

Thanks for your patience! LGTM!

[juan131]

Awesome, thanks @knqyf263 !! Do you plan to include this enhancement in the next minor version 0.49.0?

[knqyf263]

Yes. Also, I started implementing PURL matching to improve CSAF support.

[mpermar]

This is awesome!! 🎉🚀 @tschmidtb51 FYI!!