diff --git a/.circleci/config.yml b/.circleci/config.yml index 8075201..dea0c22 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -28,12 +28,18 @@ ssh -MS anchore-api -fN4 -L 8228:localhost:8228 remote-docker ssh -MS k8s-api -fN4 -L 32768:localhost:32768 remote-docker -.authenticate_to_docker: &authenticate_to_docker +.authenticate_to_dockerhub: &authenticate_to_dockerhub run: - name: Authenticate to Docker + name: Authenticate to Dockerhub command: | echo "${DOCKER_PASS}" | docker login -u "${DOCKER_USER}" --password-stdin +.authenticate_to_ghcrio: &authenticate_to_ghcrio + run: + name: Authenticate to ghcr.io + command: | + echo "${GHCRIO_PASS}" | docker login -u "${GHCRIO_USER}" --password-stdin + .only_main_branch: &only_main_branch branches: only: @@ -79,9 +85,10 @@ jobs: - checkout - <<: *attach_workspace - <<: *load_docker_image - - <<: *authenticate_to_docker + - <<: *authenticate_to_dockerhub + - <<: *authenticate_to_ghcrio - run: - name: Push to Dockerhub + name: Push to Registry command: make push workflows: @@ -90,10 +97,12 @@ workflows: - test - lint - push_to_dockerhub: + push_to_registry: jobs: - push: - name: push_to_dockerhub - context: dockerhub-anchoredevwrite + name: Push to Registry + context: + - dockerhub-anchoredevwrite + - ghcrio-anchoredevwrite filters: *only_main_branch diff --git a/ContainerMakefile b/ContainerMakefile index 98cff54..f55faa1 100644 --- a/ContainerMakefile +++ b/ContainerMakefile @@ -1,5 +1,5 @@ LAST_COMMIT := $(shell git rev-parse HEAD | cut -c 1-7) -NAME := $(shell pwd | rev | cut -d '/' -f 1 | rev)-$(LAST_COMMIT) +NAME := $(shell pwd | rev | cut -d '/' -f 1 | rev) TEMPDIR = ./.tmp IMAGEDIRS = $(shell ls -d containers/* | cut -d '/' -f 2) BOLD := $(shell tput -T linux bold) @@ -11,6 +11,8 @@ RESET := $(shell tput -T linux sgr0) TITLE := $(BOLD)$(PURPLE) SUCCESS := $(BOLD)$(GREEN) +IMAGE := $(shell if [ -f image-name ]; then cat image-name; echo ':$(LAST_COMMIT)'; else echo "anchore/test_images:$(NAME)-$(LAST_COMMIT)"; fi) + define title @printf '$(TITLE)$(1)$(RESET)\n' endef @@ -23,10 +25,13 @@ all: lint build help: @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(BOLD)$(CYAN)%-25s$(RESET)%s\n", $$1, $$2}' +.PHONY: image-name +image-name: ## Display the image name + @echo $(IMAGE) .PHONY: lint lint: ## TODO: with hadolint or similar - $(call title,Building container image anchore/test_image:$(NAME)) + $(call title,Building container image $(IMAGE)) docker run --rm -i hadolint/hadolint hadolint --ignore DL3033 - < Dockerfile .PHONY: build @@ -36,15 +41,15 @@ build: ## build container with the current Dockerfile ifneq ("$(wildcard scripts/setup.sh)", "") ./scripts/setup.sh endif - $(call title,Building container image anchore/test_image:$(NAME)) - docker build -t anchore/test_images:$(NAME) . + $(call title,Building container image $(IMAGE)) + docker build -t $(IMAGE) . .PHONY: push -push: build ## push built container to Docker Hub - $(call title,Pushing container image to docker hub anchore/test_image:$(NAME)) - docker push anchore/test_images:$(NAME) +push: build ## Push built container to Docker Hub + $(call title,Pushing container image to docker hub $(IMAGE)) + docker push $(IMAGE) .PHONY: clean clean: ## Remove images with the assigned tag for test_images - $(call title,Removing image anchore/test_image:$(NAME)) - docker rmi anchore/test_images:$(NAME) + $(call title,Removing image $(IMAGE)) + docker rmi $(IMAGE) diff --git a/containers/vex-oci-attach/Dockerfile b/containers/vex-oci-attach/Dockerfile new file mode 100644 index 0000000..3cf3805 --- /dev/null +++ b/containers/vex-oci-attach/Dockerfile @@ -0,0 +1,4 @@ +FROM ubuntu:24.04@sha256:c279a739b31ead4ebc3e9ce04937eb8b612799b52c26133eb3b4a056d08c31a6 + +# this will associate the image with the test-images repository in ghcr.io +LABEL org.opencontainers.image.source=https://github.com/anchore/test-images diff --git a/containers/vex-oci-attach/Makefile b/containers/vex-oci-attach/Makefile new file mode 120000 index 0000000..290a40e --- /dev/null +++ b/containers/vex-oci-attach/Makefile @@ -0,0 +1 @@ +../../ContainerMakefile \ No newline at end of file diff --git a/containers/vex-oci-attach/README.md b/containers/vex-oci-attach/README.md new file mode 100644 index 0000000..602fc18 --- /dev/null +++ b/containers/vex-oci-attach/README.md @@ -0,0 +1,84 @@ +# vex-oci-attach + +This image is meant to capture both an image for analysis as well as VEX documents attached to the OCI registry. + +The following references were used as a basis: + +``` +grype ubuntu:24.04@sha256:c279a739b31ead4ebc3e9ce04937eb8b612799b52c26133eb3b4a056d08c31a6 -o json | jq '.matches[] | [.vulnerability.id, .artifact.purl]' +``` + +```json +[ + "CVE-2016-2781", + "pkg:deb/ubuntu/coreutils@9.4-3ubuntu6?arch=amd64&distro=ubuntu-24.04" +] +[ + "CVE-2022-3219", + "pkg:deb/ubuntu/gpgv@2.4.4-2ubuntu17?arch=amd64&upstream=gnupg2&distro=ubuntu-24.04" +] +[ + "CVE-2016-20013", + "pkg:deb/ubuntu/libc-bin@2.39-0ubuntu8.2?arch=amd64&upstream=glibc&distro=ubuntu-24.04" +] +[ + "CVE-2016-20013", + "pkg:deb/ubuntu/libc6@2.39-0ubuntu8.2?arch=amd64&upstream=glibc&distro=ubuntu-24.04" +] +[ + "CVE-2024-2236", + "pkg:deb/ubuntu/libgcrypt20@1.10.3-2build1?arch=amd64&distro=ubuntu-24.04" +] +[ + "CVE-2020-22916", + "pkg:deb/ubuntu/liblzma5@5.6.1%2Breally5.4.5-1?arch=amd64&upstream=xz-utils&distro=ubuntu-24.04" +] +[ + "CVE-2024-4741", + "pkg:deb/ubuntu/libssl3t64@3.0.13-0ubuntu3.1?arch=amd64&upstream=openssl&distro=ubuntu-24.04" +] +[ + "CVE-2024-4603", + "pkg:deb/ubuntu/libssl3t64@3.0.13-0ubuntu3.1?arch=amd64&upstream=openssl&distro=ubuntu-24.04" +] +[ + "CVE-2024-2511", + "pkg:deb/ubuntu/libssl3t64@3.0.13-0ubuntu3.1?arch=amd64&upstream=openssl&distro=ubuntu-24.04" +] +[ + "CVE-2023-7008", + "pkg:deb/ubuntu/libsystemd0@255.4-1ubuntu8?arch=amd64&upstream=systemd&distro=ubuntu-24.04" +] +[ + "CVE-2023-7008", + "pkg:deb/ubuntu/libudev1@255.4-1ubuntu8?arch=amd64&upstream=systemd&distro=ubuntu-24.04" +] +``` + +The attached vex document when applied properly should ignore the following matches: + +- CVE-2016-2781: + - pkg:deb/ubuntu/coreutils@9.4-3ubuntu6?arch=amd64&distro=ubuntu-24.04 + +- CVE-2022-3219 + - pkg:deb/ubuntu/gpgv@2.4.4-2ubuntu17?arch=amd64&distro=ubuntu-24.04 + +- CVE-2016-20013 + - pkg:deb/ubuntu/libc-bin@2.39-0ubuntu8.2?arch=amd64&distro=ubuntu-24.04 + - pkg:deb/ubuntu/libc6@2.39-0ubuntu8.2?arch=amd64&distro=ubuntu-24.04 + +- CVE-2023-7008 + - pkg:deb/ubuntu/libsystemd0@255.4-1ubuntu8?arch=amd64&distro=ubuntu-24.04 + - pkg:deb/ubuntu/libudev1@255.4-1ubuntu8?arch=amd64&distro=ubuntu-24.04 + +The vex document (`vex.json`) itself has been attached to this OCI registry via the following command: + +```bash +# in containers/vex-oci-attach +cosign attest --predicate ./vex.json --type openvex ghcr.io/anchore/test-images/vex-oci-attach@sha256:8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce +``` + +The OCI image is hosted on [ghcr.io](https://github.com/anchore/test-images/pkgs/container/test-images%2Fvex-oci-attach) with the attachment (as of this writing) found at tag [sha256-8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce.att](https://github.com/anchore/test-images/pkgs/container/test-images%2Fvex-oci-attach/228700186?tag=sha256-8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce.att) + + +This can be used with `grype --vex-autodiscover`. diff --git a/containers/vex-oci-attach/image-name b/containers/vex-oci-attach/image-name new file mode 100644 index 0000000..4541c9a --- /dev/null +++ b/containers/vex-oci-attach/image-name @@ -0,0 +1 @@ +ghcr.io/anchore/test-images/vex-oci-attach \ No newline at end of file diff --git a/containers/vex-oci-attach/vex.json b/containers/vex-oci-attach/vex.json new file mode 100644 index 0000000..c8d3f07 --- /dev/null +++ b/containers/vex-oci-attach/vex.json @@ -0,0 +1,83 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-5052083e68a4b14c89035ebcedd6d0da6f131d533079ad3e9020b8cd357ccf49", + "author": "Alex Goodman ", + "timestamp": "2024-06-17T13:17:48.760049345-05:00", + "version": 1, + "statements": [ + { + "vulnerability": { + "name": "CVE-2016-2781" + }, + "products": [ + { + "@id": "pkg:oci/vex-oci-attach@sha256%3A8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce?repository_url=ghcr.io/anchore/test-images", + "subcomponents": [ + { + "@id": "pkg:deb/ubuntu/coreutils@9.4-3ubuntu6?arch=amd64" + } + ] + } + ], + "status": "fixed" + }, + { + "vulnerability": { + "name": "CVE-2022-3219" + }, + "products": [ + { + "@id": "pkg:oci/vex-oci-attach@sha256%3A8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce?repository_url=ghcr.io/anchore/test-images", + "subcomponents": [ + { + "@id": "pkg:deb/ubuntu/gpgv@2.4.4-2ubuntu17?arch=amd64" + } + ] + } + ], + "status": "fixed" + }, + { + "vulnerability": { + "name": "CVE-2016-20013" + }, + "products": [ + { + "@id": "pkg:oci/vex-oci-attach@sha256%3A8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce?repository_url=ghcr.io/anchore/test-images", + "subcomponents": [ + { + "@id": "pkg:deb/ubuntu/libc-bin@2.39-0ubuntu8.2?arch=amd64" + }, + { + "@id": "pkg:deb/ubuntu/libc6@2.39-0ubuntu8.2?arch=amd64" + } + ] + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present", + "impact_statement": "affected functions were removed before packaging" + }, + { + "vulnerability": { + "name": "CVE-2023-7008" + }, + "products": [ + { + "@id": "pkg:oci/vex-oci-attach@sha256%3A8b95adbdf01ad43043ea9b63d6ac56abbe0e81b67fe40a27c39b6b83488f70ce?repository_url=ghcr.io/anchore/test-images", + "subcomponents": [ + { + "@id": "pkg:deb/ubuntu/libsystemd0@255.4-1ubuntu8?arch=amd64&distro=ubuntu-24.04" + }, + { + "@id": "pkg:deb/ubuntu/libudev1@255.4-1ubuntu8?arch=amd64&distro=ubuntu-24.04" + } + ] + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present", + "impact_statement": "affected functions were removed before packaging" + } + ] +}