-
Task
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
More details:
The customer is running registry.redhat.io/openshift4/ose-console:v4.14.0-202405081840.p0.g2741f59.assembly.stream.el8
From our scanners we get the name and version of the container
Name: ose-console
Version: v4.14.0-202405081840.p0.g2741f59.assembly.stream.el8
We match it to rules we create from Red Hat feed
.....
{ "cve": "CVE-2023-44487", ... "distro": "redhat", "distro_release": "RHEL8", "package": "openshift4/ose-console", "conditions": [ [ "<v4.15.0-202404030309.p0.geb9d956.assembly.stream.el8" ] ], "affected_cpes": [ 574689546 ], } { "cve": "CVE-2023-44487", ... "distro": "redhat", "distro_release": "RHEL9", "type": "package", "package": "openshift4/ose-console", "conditions": [ [ "<v4.14.0-202311021650.p0.g966e915.assembly.stream" ] ], "affected_cpes": [ 555193048 ], }
The condition section specifies which versions are vulnerable to this CVE
We match the received version against each of the rules and get the following:
customer version v4.14… < rule version v4.15.. and so it is vulnerable
Question: What do you think is the best way to match rules only for the relevant product?
Initial thoughts:
CPE matching:
CPEs should be great as openshift 4.14 is a different product then 4.15
As seen above our rules already contain a CPE we extract from Red Hat feed
From our scanners we get the RHEL repos, for example in this case:
"rhelRepos": [
"rhel-8-for-x86_64-appstream-eus-rpms__8_DOT_6",
"rhel-8-for-x86_64-baseos-eus-rpms__8_DOT_6"
],
For non-RPMs we use repository-to-cpe.json to match the repos in the scan result to the cpe we set on the rules
AFAIK this mapping does not contain CPEs for non-RPMs
Question: Is there a way to use CPEs to match rules with non RPM scan results?
Version parsing:
We can consider other ways to identify in the scanner (from the container) and in the rule creation (RHEL feed) that this is an openshift product and the relevant release version
On the scanner side we can maybe use the labels or parse the repo tags:
"repoTag":
{ "registry": "registry.redhat.io", "repo": "openshift4/ose-console", "tag": "v4.14.0-202405081840.p0.g2741f59.assembly.stream.el8" },
"labels": [
....
"version:v4.14.0",
"io.k8s.display-name:OpenShift Console",
"name:openshift/ose-console",
"release:202405081840.p0.g2741f59.assembly.stream.el8",
"vcs-ref:314e322aef2f79d353ec30d1b729652f8de8be0a",
"com.redhat.component:openshift-enterprise-console-container",
"io.openshift.tags:openshift,console",
],
On the feed side for OVAL we can maybe parse the CPE string only for openshift
OVAL
====
For CVE-2023-44487
"affected_release" : [
{ "product_name" : "Red Hat OpenShift Container Platform 4.15", "release_date" : "2024-02-27T00:00:00Z", "advisory" : "RHSA-2023:7198", "cpe" : "cpe:/a:redhat:openshift:4.15::el8", "package" : "openshift4/ose-console:v4.15.0-202402151637.p0.g803df88.assembly.stream.el8" }]
This will result in
Conditions <v4.15.0-202402151637.p0.g803df88.assembly.stream.el8
RelevantRelease v.4.15.0
For VEX maybe parse the PURL
{
"category": "product_version",
"name": "openshift4/ose-cluster-autoscaler-rhel9@sha256:6c5a3e1205ca49cf8b74502476e57fabb7a9d03f793eb569fd473057561c3578_ppc64le",
"product": {
"name": "openshift4/ose-cluster-autoscaler-rhel9@sha256:6c5a3e1205ca49cf8b74502476e57fabb7a9d03f793eb569fd473057561c3578_ppc64le",
"product_id": "openshift4/ose-cluster-autoscaler-rhel9@sha256:6c5a3e1205ca49cf8b74502476e57fabb7a9d03f793eb569fd473057561c3578_ppc64le",
"product_identification_helper":
{ "purl": "pkg:oci/ose-cluster-autoscaler-rhel9@sha256:6c5a3e1205ca49cf8b74502476e57fabb7a9d03f793eb569fd473057561c3578?arch=ppc64le&repository_url=registry.redhat.io/openshift4/ose-cluster-autoscaler-rhel9&tag=v4.15.0-202404020808.p0.g05ff8c9.assembly.stream.el9" }}
}
This will result in
Conditions <v4.15.0-202402151637.p0.g803df88.assembly.stream.el8
RelevantRelease v.4.15.0
Question: What is the best way to match without a CPE?
Thanks in advance!
