Skip to content

Commit

Permalink
feat(vex): retrieve VEX attestations from OCI registries (#7249)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
knqyf263 authored Jul 30, 2024
1 parent 4a2f492 commit c2fd2e0
Show file tree
Hide file tree
Showing 19 changed files with 701 additions and 1,244 deletions.
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ trivy filesystem [flags] PATH
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo" or file path)
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ trivy image [flags] IMAGE_NAME
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo" or file path)
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ trivy kubernetes [flags] [CONTEXT]
--tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo" or file path)
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo" or file path)
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ trivy rootfs [flags] ROOTDIR
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo" or file path)
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ trivy sbom [flags] SBOM_PATH
-t, --template string output template
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--vex strings [EXPERIMENTAL] VEX sources ("repo" or file path)
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
```

### Options inherited from parent commands
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ trivy vm [flags] VM_IMAGE
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--vex strings [EXPERIMENTAL] VEX sources ("repo" or file path)
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
```

### Options inherited from parent commands
Expand Down
4 changes: 3 additions & 1 deletion docs/docs/supply-chain/vex/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,19 +12,21 @@ Trivy currently supports two methods for utilizing VEX:

1. [VEX Repository](./repo.md)
2. [Local VEX Files](./file.md)
3. [VEX Attestation](./oci.md)

### Enabling VEX
To enable VEX, use the `--vex` option.
You can specify the method to use:

- To enable the VEX Repository: `--vex repo`
- To use a local VEX file: `--vex /path/to/vex-document.json`
- To enable VEX attestation discovery in OCI registry: `--vex oci`

```bash
$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo
```

You can enable both methods simultaneously.
You can enable these methods simultaneously.
The order of specification determines the priority:

- `--vex repo --vex /path/to/vex-document.json`: VEX Repository has priority
Expand Down
121 changes: 121 additions & 0 deletions docs/docs/supply-chain/vex/oci.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
# Discover VEX Attestation in OCI Registry

!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.

Trivy can discover VEX attestations for container images.
This feature allows you to automatically use VEX during container image scanning.

## How It Works

Trivy can automatically discover and utilize VEX attestations for container images during scanning by using the `--vex oci` flag.
This process enhances vulnerability detection results by incorporating the information from the VEX attestation.

To use this feature, follow these three steps:

1. Create a VEX document
2. Generate and upload a VEX attestation to an OCI registry
3. Use the VEX attestation with Trivy

Steps 1 and 2 are not necessary if you are trying to scan a third-party container image and already have VEX attestation attached.

Let's go through each step in detail.

!!! note
In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the cosign command.

### Step 1: Create a VEX Document

Currently, Trivy does not have a built-in feature to create VEX documents, so you need to create them manually.
You can refer to the [OpenVEX section](./file.md#openvex) for guidance on creating VEX files.

For container image vulnerabilities, the product ID should be the OCI type in the [PURL][purl] format.
For example:

```
pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy
```

This product ID applies the VEX statement to all tags of the `ghcr.io/aquasecurity/trivy` container image.
If you want to declare a statement for a specific digest only, you can use:

```
pkg:oci/trivy@sha256:5bd5ab35814f86783561603ebb35d5d5d99006dcdcd5c3f828ea1afb4c12d159?repository_url=ghcr.io/aquasecurity/trivy
```

!!! note
Using an image tag, like `pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy&tag=0.50.0`, is not supported in the product ID at the moment.

Next, specify vulnerable packages as subcomponents, such as `pkg:apk/alpine/busybox`.
You can also include the package version and other [qualifiers][qualifiers] (e.g., `arch`) to limit statements, like `pkg:apk/alpine/busybox@1.36.1-r29?arch=x86`.

Lastly, include the vulnerability IDs.

Here's an example VEX document:

```json
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f",
"author": "Aqua Security",
"timestamp": "2024-07-30T19:07:16.853479631-06:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2023-42363"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/busybox"},
{"@id": "pkg:apk/alpine/busybox-binsh"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
}
]
}
```

You can also refer to [Trivy's example](https://github.com/aquasecurity/trivy/blob/4e54a7e84c33c1be80c52c6db78c634bc3911715/.vex/oci.openvex.json) for more inspiration.

### Step 2: Generate and Upload a VEX Attestation to an OCI Registry

You can use the [Cosign command](https://docs.sigstore.dev/verifying/attestation/) to generate and upload the VEX attestation.
Cosign offers methods both with and without keys.
For detailed instructions, please refer to the Cosign documentation.

To generate and attach a VEX attestation to your image, use the following command:

```
$ cosign attest --predicate oci.openvex.json --type openvex <IMAGE>
```

Note that this command attaches the attestation only to the specified image tag.
If needed, repeat the process for other tags and digests.

### Step 3: Use VEX Attestation with Trivy

Once you've attached the VEX attestation to the container image, Trivy can automatically discover and use it during scanning.
Simply add the `--vex oci` flag when scanning a container image:

```
$ trivy image --vex oci <IMAGE>
```

To see which vulnerabilities were filtered by the VEX attestation, use the `--show-suppressed` flag:

```
$ trivy image --vex oci --show-suppressed <IMAGE>
```

The `<IMAGE>` specified in these commands must be the same as the one to which you attached the VEX attestation.

[purl]: https://github.com/package-url/purl-spec
[qualifiers]: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
39 changes: 30 additions & 9 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ require (
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v0.13.0
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04
Expand Down Expand Up @@ -75,6 +75,7 @@ require (
github.com/liamg/iamgo v0.0.9
github.com/liamg/jfather v0.0.7
github.com/liamg/memoryfs v1.6.0
github.com/magefile/mage v1.15.0
github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
github.com/masahiro331/go-ebs-file v0.0.0-20240112135404-d5fbb1d46323
github.com/masahiro331/go-ext4-filesystem v0.0.0-20231208112839-4339555a0cd4
Expand All @@ -90,6 +91,7 @@ require (
github.com/open-policy-agent/opa v0.66.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0
github.com/openvex/discovery v0.1.0
github.com/openvex/go-vex v0.2.5
github.com/owenrumney/go-sarif/v2 v2.3.3
github.com/owenrumney/squealer v1.2.3
Expand Down Expand Up @@ -133,8 +135,6 @@ require (
sigs.k8s.io/yaml v1.4.0
)

require github.com/magefile/mage v1.15.0

require (
cloud.google.com/go v0.112.1 // indirect
cloud.google.com/go/compute/metadata v0.3.0 // indirect
Expand Down Expand Up @@ -182,6 +182,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/briandowns/spinner v1.23.0 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
Expand All @@ -198,9 +199,12 @@ require (
github.com/containerd/typeurl/v2 v2.1.1 // indirect
github.com/cpuguy83/dockercfg v0.3.1 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/dlclark/regexp2 v1.4.0 // indirect
github.com/docker/cli v27.0.3+incompatible // indirect
Expand All @@ -218,6 +222,7 @@ require (
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-errors/errors v1.4.2 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.5.0 // indirect
Expand All @@ -234,16 +239,17 @@ require (
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/go-test/deep v1.1.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.9.5 // indirect
github.com/gofrs/uuid v4.3.1+incompatible // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/certificate-transparency-go v1.1.8 // indirect
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
Expand All @@ -260,12 +266,13 @@ require (
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-safetemp v1.0.0 // indirect
github.com/hashicorp/golang-lru v0.6.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
github.com/hashicorp/terraform-json v0.22.1 // indirect
github.com/huandu/xstrings v1.4.0 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/imdario/mergo v0.3.16 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/jmoiron/sqlx v1.3.5 // indirect
github.com/josharian/intern v1.0.0 // indirect
Expand All @@ -274,6 +281,7 @@ require (
github.com/klauspost/compress v1.17.9 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
github.com/lib/pq v1.10.9 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
Expand Down Expand Up @@ -303,6 +311,7 @@ require (
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/ncruces/go-strftime v0.1.9 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/runtime-spec v1.2.0 // indirect
github.com/opencontainers/selinux v1.11.0 // indirect
Expand All @@ -316,30 +325,38 @@ require (
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
github.com/prometheus/client_golang v1.19.1 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.48.0 // indirect
github.com/prometheus/common v0.51.1 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/rivo/uniseg v0.4.4 // indirect
github.com/rubenv/sql-migrate v1.5.2 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shirou/gopsutil/v3 v3.24.2 // indirect
github.com/shoenig/go-m1cpu v0.1.6 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
github.com/sigstore/cosign/v2 v2.2.4 // indirect
github.com/sigstore/sigstore v1.8.3 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/skeema/knownhosts v1.2.2 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tklauser/go-sysconf v0.3.13 // indirect
github.com/tklauser/numcpus v0.7.0 // indirect
github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/ulikunitz/xz v0.5.11 // indirect
github.com/vbatts/tar-split v0.11.5 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
Expand Down Expand Up @@ -371,6 +388,7 @@ require (
google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect
google.golang.org/grpc v1.64.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
Expand All @@ -397,3 +415,6 @@ require (
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
)

// cf. https://github.com/openvex/discovery/pull/40
replace github.com/openvex/discovery => github.com/knqyf263/discovery v0.1.1-0.20240726113521-97873005fd03
Loading

0 comments on commit c2fd2e0

Please sign in to comment.