feat(security): support project vulnerability scanning and VEX statements#5029
feat(security): support project vulnerability scanning and VEX statements#5029brandtkeller wants to merge 17 commits into
Conversation
…ents Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
✅ Deploy Preview for zarf-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. 🚀 New features to boost your workflow:
|
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect | ||
| go4.org v0.0.0-20230225012048-214862532bf5 // indirect | ||
| golang.org/x/telemetry v0.0.0-20260625142307-59b4966ccb57 // indirect |
There was a problem hiding this comment.
Note: these dependency changes are a result of the tool directive below. It feels like a neat utility but I am not tied to this versus other installation methods.
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
AustinAbro321
left a comment
There was a problem hiding this comment.
This is cool to see. Some questions and comments
| | 2 | `grype` on built binary | Indirect-dependency CVEs consumers face | Fails on **High or Critical** (un-suppressed) | | ||
|
|
||
| **Tier 1** surfaces vulnerabilities in code actually reached at runtime, with very few false | ||
| positives. It has no suppression mechanism; every finding must be addressed upstream. |
There was a problem hiding this comment.
"It has no suppression mechanism;"
What does suppression mean in this context? In this PR we are suppressing GHSA-fqw6-gf59-qr4w that seemingly has an equivalent for govulncheck. Does that fact that it's in the vex file mean that we're suppressing the govulncheck vulnerability as well?
Said another way, where should users look for a list of active Zarf CVEs? If this list exists will the equivalent govulncheck for GHSA-fqw6-gf59-qr4w be included or excluded from that list ?
There was a problem hiding this comment.
govulncheck findings are project contributor/maintainer facing and also have no suppression mechanism (to flag findings as ignored). Grype findings are the list that zarf users will typically be using and of which we can point them to running against our artifacts with VEX statements.
Grype is working on closing the gap between govuln and current scanning - so I expect to see more overlap with grype being the more wholistic story.
There was a problem hiding this comment.
Gotcha, the "every finding must be addressed upstream" just made me feel like there is an action to take on every govulncheck finding even if the finding is not relevant.
| When a CVE appears in an **indirect** dependency (marked `// indirect` in `go.mod` — present | ||
| only because a direct dependency requires it): | ||
|
|
||
| - **Do not** open a PR that bumps the indirect dependency solely to resolve the finding. |
There was a problem hiding this comment.
It's rare, but I think there are cases where a critical should be updated directly. Using the replace directive will avoid any go.mod drift in that case.
I would also start this section with the evaluation bullet, then combine this point with the third point (prefer direct dependency upgrade, if deemed necessary patch with replace directive).
There was a problem hiding this comment.
language could be more flexible for nuance
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Description
Users have been (appropriately) approaching the project with scanner findings from Zarf. Many of these are occurrences of transitive indirect dependency vulnerabilities that do not affect Zarf itself and are not reachable. In order to reduce cognitive burden for both maintainers and users - we're creating policy and VEX statements to help provide releasable evidence to suppress scanner findings with context from the maintainers.
At the same time, monitoring the vulnerability surface has been adhoc and not automated.
This PR addresses this gap and adds automation to support earlier identification of findings and discoverable (and transient) adjudication information.
This adds a nightly (or manually executed) workflow to scan for CVE's using both
govulncheckandgrype. govulncheck provides scanner findings directly to the project security dashboard and adds context we can then correlate togrypewhich publishes potentially non-reachable findings that users otherwise would want information about why they are not applicable. If there are high/critical findings the workflow will fail.We create a vex workflow (documented) that offers a point of adjudication and supression method for the aforementioned
grypescanning above. Maintainers can author vex statements for non-applicable findings for which the next subsequent run of the scan will supress said findings.The VEX is packaged with the Init Package as a document file (any findings therein are directly applicable to both the Agent and CLI) as well as released as a release artifact for a given version.
Make targets are provided for the workflows to use locally.
Related Issue
Fixes #3842
Checklist before merging