From a7010fd48d7ff2cc7f7400936e93bed051cc9ef1 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Thu, 25 Jul 2024 11:13:57 -0700
Subject: [PATCH] Add known VEX files to build process (#1969)
---
.github/workflows/build-and-push-image.yaml | 37 +++++++++++++++++-
.github/workflows/dev-build.yaml | 43 +++++++++++++++++++--
docker/vex/CVE-2019-10790.vex.json | 33 +---------------
docker/vex/CVE-2024-29415.vex.json | 22 +++++++++++
docker/vex/CVE-2024-37890.vex.json | 33 +---------------
docker/vex/CVE-2024-4068.vex.json | 22 +++++++++++
6 files changed, 124 insertions(+), 66 deletions(-)
create mode 100644 docker/vex/CVE-2024-29415.vex.json
create mode 100644 docker/vex/CVE-2024-4068.vex.json
diff --git a/.github/workflows/build-and-push-image.yaml b/.github/workflows/build-and-push-image.yaml
index 5098fa601..d3a141d8a 100644
--- a/.github/workflows/build-and-push-image.yaml
+++ b/.github/workflows/build-and-push-image.yaml
@@ -22,7 +22,6 @@ on:
- '.github/ISSUE_TEMPLATE/**/*'
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
- - 'docker/vex/*' # CVE exceptions we know are not in risk
jobs:
push_multi_platform_to_registries:
@@ -95,3 +94,39 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
+
+ # For Docker scout there are some intermediary reported CVEs which exists outside
+ # of execution content or are unreachable by an attacker but exist in image.
+ # We create VEX files for these so they don't show in scout summary.
+ - name: Collect known and verified CVE exceptions
+ id: cve-list
+ run: |
+ # Collect CVEs from filenames in vex folder
+ CVE_NAMES=""
+ for file in ./docker/vex/*.vex.json; do
+ [ -e "$file" ] || continue
+ filename=$(basename "$file")
+ stripped_filename=${filename%.vex.json}
+ CVE_NAMES+=" $stripped_filename"
+ done
+ echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
+ shell: bash
+
+ # About VEX attestations https://docs.docker.com/scout/explore/exceptions/
+ # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
+ - name: Add VEX attestations
+ env:
+ CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
+ run: |
+ echo $CVE_EXCEPTIONS
+ curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
+ for cve in $CVE_EXCEPTIONS; do
+ for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
+ echo "Attaching VEX exception $cve to $tag"
+ docker scout attestation add \
+ --file "./docker/vex/$cve.vex.json" \
+ --predicate-type https://openvex.dev/ns/v0.2.0 \
+ $tag
+ done
+ done
+ shell: bash
diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml
index dd433e420..e81d99c58 100644
--- a/.github/workflows/dev-build.yaml
+++ b/.github/workflows/dev-build.yaml
@@ -1,4 +1,4 @@
-name: Publish AnythingLLM Development Docker image (amd64)
+name: AnythingLLM Development Docker image (amd64)
concurrency:
group: build-${{ github.ref }}
@@ -6,7 +6,7 @@ concurrency:
on:
push:
- branches: ['jwt-bump'] # put your current branch to create a build. Core team only.
+ branches: ['vex'] # put your current branch to create a build. Core team only.
paths-ignore:
- '**.md'
- 'cloud-deployments/*'
@@ -16,7 +16,6 @@ on:
- '.github/ISSUE_TEMPLATE/**/*'
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
- - 'docker/vex/*' # CVE exceptions we know are not in risk
jobs:
push_multi_platform_to_registries:
@@ -75,3 +74,41 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
+
+ # For Docker scout there are some intermediary reported CVEs which exists outside
+ # of execution content or are unreachable by an attacker but exist in image.
+ # We create VEX files for these so they don't show in scout summary.
+ - name: Collect known and verified CVE exceptions
+ id: cve-list
+ run: |
+ # Collect CVEs from filenames in vex folder
+ CVE_NAMES=""
+ for file in ./docker/vex/*.vex.json; do
+ [ -e "$file" ] || continue
+ filename=$(basename "$file")
+ stripped_filename=${filename%.vex.json}
+ CVE_NAMES+=" $stripped_filename"
+ done
+ echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
+ shell: bash
+
+ # About VEX attestations https://docs.docker.com/scout/explore/exceptions/
+ # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
+ - name: Add VEX attestations
+ env:
+ CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
+ run: |
+ echo $CVE_EXCEPTIONS
+ curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
+ for cve in $CVE_EXCEPTIONS; do
+ for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
+ echo "Attaching VEX exception $cve to $tag"
+ docker scout attestation add \
+ --file "./docker/vex/$cve.vex.json" \
+ --predicate-type https://openvex.dev/ns/v0.2.0 \
+ $tag
+ done
+ done
+ shell: bash
+
+
\ No newline at end of file
diff --git a/docker/vex/CVE-2019-10790.vex.json b/docker/vex/CVE-2019-10790.vex.json
index d6044ac6f..4233fd146 100644
--- a/docker/vex/CVE-2019-10790.vex.json
+++ b/docker/vex/CVE-2019-10790.vex.json
@@ -12,40 +12,11 @@
"timestamp": "2024-07-22T13:49:12.883678-07:00",
"products": [
{
- "@id": "pkg:docker/mintplexlabs/anythingllm@render",
- "subcomponents": [
- {
- "@id": "pkg:npm/taffydb@2.6.2"
- }
- ]
- },
- {
- "@id": "pkg:docker/mintplexlabs/anythingllm@railway",
- "subcomponents": [
- {
- "@id": "pkg:npm/taffydb@2.6.2"
- }
- ]
- },
- {
- "@id": "pkg:docker/mintplexlabs/anythingllm@latest",
- "subcomponents": [
- {
- "@id": "pkg:npm/taffydb@2.6.2"
- }
- ]
- },
- {
- "@id": "pkg:docker/mintplexlabs/anythingllm@master",
- "subcomponents": [
- {
- "@id": "pkg:npm/taffydb@2.6.2"
- }
- ]
+ "@id": "pkg:npm/taffydb@2.6.2"
}
],
"status": "not_affected",
- "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
+ "justification": "vulnerable_code_not_in_execute_path"
}
]
}
\ No newline at end of file
diff --git a/docker/vex/CVE-2024-29415.vex.json b/docker/vex/CVE-2024-29415.vex.json
new file mode 100644
index 000000000..dfe5b4623
--- /dev/null
+++ b/docker/vex/CVE-2024-29415.vex.json
@@ -0,0 +1,22 @@
+{
+ "@context": "https://openvex.dev/ns/v0.2.0",
+ "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
+ "author": "tim@mintplexlabs.com",
+ "timestamp": "2024-07-19T16:08:47.147169-07:00",
+ "version": 1,
+ "statements": [
+ {
+ "vulnerability": {
+ "name": "CVE-2024-29415"
+ },
+ "timestamp": "2024-07-19T16:08:47.147172-07:00",
+ "products": [
+ {
+ "@id": "pkg:npm/ip@2.0.0"
+ }
+ ],
+ "status": "not_affected",
+ "justification": "vulnerable_code_not_present"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docker/vex/CVE-2024-37890.vex.json b/docker/vex/CVE-2024-37890.vex.json
index 89de7553c..13498ec66 100644
--- a/docker/vex/CVE-2024-37890.vex.json
+++ b/docker/vex/CVE-2024-37890.vex.json
@@ -12,40 +12,11 @@
"timestamp": "2024-07-19T16:08:47.147172-07:00",
"products": [
{
- "@id": "pkg:docker/mintplexlabs/anythingllm@render",
- "subcomponents": [
- {
- "@id": "pkg:npm/ws@8.14.2"
- }
- ]
- },
- {
- "@id": "pkg:docker/mintplexlabs/anythingllm@railway",
- "subcomponents": [
- {
- "@id": "pkg:npm/ws@8.14.2"
- }
- ]
- },
- {
- "@id": "pkg:docker/mintplexlabs/anythingllm@latest",
- "subcomponents": [
- {
- "@id": "pkg:npm/ws@8.14.2"
- }
- ]
- },
- {
- "@id": "pkg:docker/mintplexlabs/anythingllm@master",
- "subcomponents": [
- {
- "@id": "pkg:npm/ws@8.14.2"
- }
- ]
+ "@id": "pkg:npm/ws@8.14.2"
}
],
"status": "not_affected",
- "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
+ "justification": "vulnerable_code_not_in_execute_path"
}
]
}
\ No newline at end of file
diff --git a/docker/vex/CVE-2024-4068.vex.json b/docker/vex/CVE-2024-4068.vex.json
new file mode 100644
index 000000000..41f73ed3e
--- /dev/null
+++ b/docker/vex/CVE-2024-4068.vex.json
@@ -0,0 +1,22 @@
+{
+ "@context": "https://openvex.dev/ns/v0.2.0",
+ "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
+ "author": "tim@mintplexlabs.com",
+ "timestamp": "2024-07-19T16:08:47.147169-07:00",
+ "version": 1,
+ "statements": [
+ {
+ "vulnerability": {
+ "name": "CVE-2024-4068"
+ },
+ "timestamp": "2024-07-19T16:08:47.147172-07:00",
+ "products": [
+ {
+ "@id": "pkg:npm/braces@3.0.2"
+ }
+ ],
+ "status": "not_affected",
+ "justification": "vulnerable_code_not_present"
+ }
+ ]
+}
\ No newline at end of file
--
GitLab