Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance v6 search command #2303

Merged
merged 19 commits into from
Jan 15, 2025
Merged

Enhance v6 search command #2303

merged 19 commits into from
Jan 15, 2025

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Dec 4, 2024
edited
Loading

Plumbs up the search command for the v6 schema with the store + presenter logic. Functionally this adds the ability to refine affected package searches by various criteria, such as vuln published date, vuln modified date, provider, distro, etc. Note that any form of date searching will be partially functional until there is more data in the DB for search conditions to key off of; in the meantime any records without date information are included in the output.

Here an additional vulnerability command has been added:

$ grype db search vuln --help

Search for vulnerabilities within the DB (supports DB schema v6+ only)

Usage:
  grype db search vuln ID... [flags]

Aliases:
  vuln, vulnerability, vulnerabilities, vulns

Flags:
  -h, --help                     help for vuln
      --limit int                limit the number of results returned (supports DB schema v6+ only) (default 5000)
      --modified-after string    only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD) (supports DB schema v6+ only)
  -o, --output string            format to display results (available=[table, json]) (default "table")
      --provider stringArray     only show vulnerabilities from the given provider (supports DB schema v6+ only)
      --published-after string   only show vulnerabilities originally published after the given date (format: YYYY-MM-DD) (supports DB schema v6+ only)

...and the existing search for affected packages command has been enhanced:

$ grype db search --help

Search the DB for vulnerabilities or affected packages

Usage:
  grype db search VULN|PKG... [flags]

Flags:
      --distro stringArray       refine to results with the given operating system (format: 'name', 'name@version', '[email protected]', 'name@codename') (supports DB schema v6+ only)
      --ecosystem string         ecosystem of the package to search within (supports DB schema v6+ only)
  -h, --help                     help for search
      --limit int                limit the number of results returned (supports DB schema v6+ only) (default 5000)
      --modified-after string    only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD) (supports DB schema v6+ only)
  -o, --output string            format to display results (available=[table, json]) (default "table")
      --pkg stringArray          package name/CPE/PURL to search for (supports DB schema v6+ only)
      --provider stringArray     only show vulnerabilities from the given provider (supports DB schema v6+ only)
      --published-after string   only show vulnerabilities originally published after the given date (format: YYYY-MM-DD) (supports DB schema v6+ only)
      --vuln stringArray         only show results for the given vulnerability ID (supports DB schema v6+ only)

Here's example output of searching by package:

$ grype db search --pkg log4j --distro [email protected]
VULNERABILITY   PACKAGE  ECOSYSTEM  NAMESPACE              VERSION CONSTRAINT        
CVE-2019-17571  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2020-9488   log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2021-4104   log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2021-42550  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.24.13  
CVE-2021-44228  log4j    rpm        sles:distro:sles:15.6  < 0:2.16.0-4.10.1          
CVE-2021-44832  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.0-4.16.1          
CVE-2021-45046  log4j    rpm        sles:distro:sles:15.6  < 0:2.16.0-4.10.1          
CVE-2021-45105  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.0-4.13.1

It also allows for fuzzier argument input:

$ grype db search ELSA-2023-12205            # same as '--vuln ELSA-2023-12205'
$ grype db search log4j                      # same as '--pkg log4j '
$ grype db search log4j CVE-2021-44228       # same as '--pkg log4j --vuln CVE-2021-44228'
$ grype db search 'pkg:rpm/redhat/openssl'   # same as '--ecosystem rpm --pkg openssl'
$ grype db search 'cpe:2.3:a:jetty:jetty_http_server:*:*:*:*:*:*'
$ grype db search 'cpe:/a:jetty:jetty_http_server'

Notice that we can specify a PURL, CPE, package name, or vulnerability ID -- the search command will attempt to parse each value and adjust the search criteria accordingly. If there is ever any ambiguity or opposition to using arbitrary args, there are still the equivalent flags for each (--pkg and --vuln).

Note that the Namespace mimics the v5 namespace values, even though this is not present in the DB today (in a future PR this code will be moved).

And similarly, example output searching by vulnerability:

$ grype db search vuln CVE-2021-4104
ID             PROVIDER                                                                                 PUBLISHED   SEVERITY                                            REFERENCE                                                 
CVE-2021-4104  debian (10, 11, 12, 13, unstable)                                                                                                                        https://security-tracker.debian.org/tracker/CVE-2021-4104  
CVE-2021-4104  debian (9)                                                                                           high                                                https://security-tracker.debian.org/tracker/CVE-2021-4104  
CVE-2021-4104  nvd                                                                                      2021-12-14  CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)  https://nvd.nist.gov/vuln/detail/CVE-2021-4104             
CVE-2021-4104  rhel (7, 8)                                                                                          medium                                              https://access.redhat.com/security/cve/CVE-2021-4104       
CVE-2021-4104  sles (11.1, 11.3, 11.4, 12.2, 12.3, 12.4, 12.5, 15, 15.1, 15.2, 15.3, 15.4, 15.5, 15.6)              medium                                              https://www.suse.com/security/cve/CVE-2021-4104            
CVE-2021-4104  ubuntu (16.04, 18.04, 20.04, 21.04, 21.10, 23.04, 23.10, 24.04, 24.10)                               medium                                              https://ubuntu.com/security/CVE-2021-4104

Each command has JSON output as well, which the JSON schemas are automatically generated for (and validated in CI on pull requests).

PR stack:

  1. Rename OperatingSystemAliases #2352
  2. Finalize label version and add release id to OS model #2349
  3. Allow v6 store to support multiple qualifiers #2338

@wagoodman wagoodman force-pushed the v6-search branch 2 times, most recently from 38de0a5 to f2baf2b Compare December 17, 2024 14:12
@wagoodman wagoodman mentioned this pull request Dec 17, 2024
Merged
@wagoodman wagoodman changed the base branch from main to v6-search-store-support December 17, 2024 16:01
@wagoodman wagoodman force-pushed the v6-search-store-support branch from 224be59 to c7f35a1 Compare December 18, 2024 15:54
@wagoodman wagoodman force-pushed the v6-search branch 2 times, most recently from e6fbc31 to d96ae23 Compare December 18, 2024 16:52
@wagoodman wagoodman force-pushed the v6-search-store-support branch from c7f35a1 to 01f1def Compare December 18, 2024 17:54
@wagoodman wagoodman force-pushed the v6-search branch 4 times, most recently from e5651dc to 19840d1 Compare December 18, 2024 19:23
Base automatically changed from v6-search-store-support to main December 18, 2024 19:43
@wagoodman wagoodman force-pushed the v6-search branch 4 times, most recently from 2ab51bd to c410aa6 Compare December 23, 2024 14:51
@wagoodman wagoodman changed the base branch from main to release-id December 23, 2024 14:51
Base automatically changed from release-id to main December 23, 2024 18:28
@wagoodman wagoodman force-pushed the v6-search branch 3 times, most recently from b68f60f to 0802095 Compare December 23, 2024 18:53
@wagoodman
add v6 search command
310d130 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
add json schema generation
6d8f289 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
add schema drift checks
cbd4542 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
add initial db search schemas
bae648c 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
add readmes for schemas
3363f07 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
add field comments to json schema
d8b9021 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
fix cpe and ecosystem filtering
9afbad5 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
mimic v5 help
c301f17 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
fix cli test
bb8a9f8 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
keep config shape clean
ca58c16 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
add tests
368f232 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman wagoodman self-assigned this Jan 8, 2025
@wagoodman wagoodman added the changelog-ignore Don't include this issue in the release changelog label Jan 8, 2025
@wagoodman wagoodman marked this pull request as ready for review January 8, 2025 21:33
@wagoodman
fix v5 namespace rhel and version cases
076d1b5 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
address pkg spec comments
5357a93 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
fix limit handling
a68d15e 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
add any pkg helper
ab1a254 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
use loop var
7dcf9b4 
Signed-off-by: Alex Goodman <[email protected]>
willmurphyscode
willmurphyscode reviewed Jan 14, 2025
View reviewed changes
grype/db/v6/models.go
return os.MajorVersion
}

func (os *OperatingSystem) Version() string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocking comment, but I'm curious: What motivates this particular fallback logic?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's the reasoning that went into field precedence:

  • label version tends to override numeric versions ("unstable" is the label for "debian:sid" for instance). There is a good argument that codename should be here, but the only reason why it's not is because vunnel and grype-db reason about a value here over raw values from the vulnerability provider.
  • if not found, then we craft the most specific version possible and return that
  • we don't expect there to be many cases where there is no version information but if so, codename is the only recourse left (which tends to be empty though).

@wagoodman wagoodman enabled auto-merge (squash) January 15, 2025 15:30
@wagoodman wagoodman merged commit a22349b into main Jan 15, 2025
10 checks passed
@wagoodman wagoodman deleted the v6-search branch January 15, 2025 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willmurphyscode willmurphyscode willmurphyscode approved these changes

Assignees

@wagoodman wagoodman

Labels
changelog-ignore Don't include this issue in the release changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Stabilize DB search output
2 participants
@wagoodman @willmurphyscode