-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubevuln support for VEX document creation #179
Conversation
Signed-off-by: Ben <ben@armosec.io>
Signed-off-by: Ben <ben@armosec.io>
PR Analysis
PR Feedback
How to use
|
At first glance, it looks OK, maybe I would add more unittest coverage for helper functions like |
Signed-off-by: Ben <ben@armosec.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the VEX is generated by default. We should add to the configuration file the "vex capability" so it will not always be generated.
Signed-off-by: Ben <ben@armosec.io>
Signed-off-by: Ben <ben@armosec.io>
Made this optional in commit 351ebe8 |
* Implementing VEX creation and update logic Signed-off-by: Ben <ben@armosec.io> * Connecting VEX creation to "Scanning for CVEs flow" Signed-off-by: Ben <ben@armosec.io> * Integration with Grype working Signed-off-by: Ben <ben@armosec.io> * Made the VEX generation an optional feature Signed-off-by: Ben <ben@armosec.io> * Removing hardcoded index Signed-off-by: Ben <ben@armosec.io> --------- Signed-off-by: Ben <ben@armosec.io>
PR Type:
Enhancement
PR Description:
This PR introduces the creation and update of VEX (Vulnerability EXchange) documents in Kubevuln. VEX is a document format that enables the sharing of vulnerability information about software vulnerabilities between different tools and systems. The implementation includes methods to create a new VEX document if it does not exist or update an existing one. The changes also include unit tests to verify the functionality.
PR Main Files Walkthrough:
files:
repositories/apiserver.go
: Added methods to create and update VEX documents. These methods include logic to calculate a canonical hash for the VEX document, sort VEX statements, and create strings from vulnerabilities and components. Also, added the 'StoreVEX' method to the 'APIServerStore' struct.repositories/apiserver_test.go
: Added unit tests for the 'StoreVEX' method to verify the creation and update of VEX documents.core/ports/repositories.go
: Added the 'StoreVEX' method to the 'CVERepository' interface.core/services/scan.go
: Integrated the 'StoreVEX' method into the 'ScanCVE' method to store VEX documents during the scanning process.repositories/broken.go
: Implemented the 'StoreVEX' method in the 'BrokenStore' struct, which returns an expected error.repositories/memory.go
: Implemented the 'StoreVEX' method in the 'MemoryStore' struct, which currently does nothing and returns nil.go.mod
: Added the 'github.com/openvex/go-vex' package as a dependency for handling VEX documents.User Description:
Overview
Implementation of VEX document creation and update flows in Kubevuln as per #155
Additional Information
VEX is a document format which enables the sharing of vulnerability information about software vulnerabilities in between different tools and systems.
Kubescape scans images for vulnerabilities and uses workload behavior information to determine whether these vulnerabilities are reachable for the attack (relevancy).
This enables this implementation to produce VEX document which describes which of the vulnerabilities need to be dealt with.
How to Test
Added unit tests, otherwise VEX documents are produced together with filtered vulnerability reports.
Related issues/PRs:
Checklist before requesting a review
put an [x] in the box to get it checked