Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(rust): Add support for cargo-auditable #2675

Merged
merged 4 commits into from
Aug 10, 2022

Conversation

tofay
Copy link
Contributor

@tofay tofay commented Aug 7, 2022

Add support for Rust binaries built with cargo-auditable

Description

Updates trivy to use the cargo-auditable support added to go-dep-parser in aquasecurity/go-dep-parser#119

trivy output prior to this change:

tom@DESKTOP:~/trivy$ trivy -d image --list-all-pkgs --format json docker.io/tofay/hello-rust-auditable:latest
2022-08-07T19:32:16.180+0100    INFO    Vulnerability scanning is enabled
2022-08-07T19:32:16.180+0100    INFO    Secret scanning is enabled
2022-08-07T19:32:16.180+0100    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-07T19:32:16.180+0100    INFO    Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-07T19:32:16.285+0100    INFO    Number of language-specific files: 0
{
  "SchemaVersion": 2,
  "ArtifactName": "docker.io/tofay/hello-rust-auditable:latest",
  "ArtifactType": "container_image",
  "Metadata": {
    "ImageID": "sha256:322cc75d4c110bbc910c2492da4cf7df03b3c01427fafd447ca078d726b5accd",
    "DiffIDs": [
      "sha256:bff1bef7312985d25368d69af8a444c9fd6cffca9c8c5a1e32ead7be46794420"
    ],
    "RepoTags": [
      "hello-auditable:latest",
      "stereoscope-fixture-image-rust-auditable:b3cd2276d0cc3b228ca4f3b0d04526b8eb10e80ce1f4cb04cb021444de477e65",
      "stereoscope-fixture-image-rust-auditable:latest",
      "tofay/hello-rust-auditable:latest"
    ],
    "RepoDigests": [
      "tofay/hello-rust-auditable@sha256:1d35d1e007180b3f7500aae5e27560697909132ca9a6d480c4c825534c1c47a9"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "created": "2022-07-21T19:18:05.363011673Z",
      "history": [
        {
          "created": "2022-07-21T19:18:05Z",
          "created_by": "COPY hello-auditable / # buildkit",
          "comment": "buildkit.dockerfile.v0"
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:bff1bef7312985d25368d69af8a444c9fd6cffca9c8c5a1e32ead7be46794420"
        ]
      },
      "config": {
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "WorkingDir": "/"
      }
    }
  }
}

With this change

tom@DESKTOP:~/trivy$ go run cmd/trivy/main.go -d image --list-all-pkgs --format json docker.io/tofay/hello-rust-auditable:latest
2022-08-07T19:31:59.478+0100    INFO    Vulnerability scanning is enabled
2022-08-07T19:31:59.478+0100    INFO    Secret scanning is enabled
2022-08-07T19:31:59.478+0100    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-07T19:31:59.478+0100    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-08-07T19:31:59.618+0100    INFO    Number of language-specific files: 1
2022-08-07T19:31:59.618+0100    INFO    Detecting rustbinary vulnerabilities...
{
  "SchemaVersion": 2,
  "ArtifactName": "docker.io/tofay/hello-rust-auditable:latest",
  "ArtifactType": "container_image",
  "Metadata": {
    "ImageID": "sha256:322cc75d4c110bbc910c2492da4cf7df03b3c01427fafd447ca078d726b5accd",
    "DiffIDs": [
      "sha256:bff1bef7312985d25368d69af8a444c9fd6cffca9c8c5a1e32ead7be46794420"
    ],
    "RepoTags": [
      "hello-auditable:latest",
      "stereoscope-fixture-image-rust-auditable:b3cd2276d0cc3b228ca4f3b0d04526b8eb10e80ce1f4cb04cb021444de477e65",
      "stereoscope-fixture-image-rust-auditable:latest",
      "tofay/hello-rust-auditable:latest"
    ],
    "RepoDigests": [
      "tofay/hello-rust-auditable@sha256:1d35d1e007180b3f7500aae5e27560697909132ca9a6d480c4c825534c1c47a9"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "created": "2022-07-21T19:18:05.363011673Z",
      "history": [
        {
          "created": "2022-07-21T19:18:05Z",
          "created_by": "COPY hello-auditable / # buildkit",
          "comment": "buildkit.dockerfile.v0"
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:bff1bef7312985d25368d69af8a444c9fd6cffca9c8c5a1e32ead7be46794420"
        ]
      },
      "config": {
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "WorkingDir": "/"
      }
    }
  },
  "Results": [
    {
      "Target": "hello-auditable",
      "Class": "lang-pkgs",
      "Type": "rustbinary",
      "Packages": [
        {
          "Name": "auditable",
          "Version": "0.1.0",
          "Layer": {
            "DiffID": "sha256:bff1bef7312985d25368d69af8a444c9fd6cffca9c8c5a1e32ead7be46794420"
          }
        },
        {
          "Name": "hello-auditable",
          "Version": "0.1.0",
          "Layer": {
            "DiffID": "sha256:bff1bef7312985d25368d69af8a444c9fd6cffca9c8c5a1e32ead7be46794420"
          }
        }
      ]
    }
  ]
}

I made a container image containing a binary with cargo-auditable that uses hyper 0.11 (whose dependency tree now has many vulns):

tom@DESKTOP-2SNCTIO:~/trivy$ go run cmd/trivy/main.go image --severity HIGH,CRITICAL --format json cargo-auditable-example:hyper-vuln
2022-08-07T19:49:13.533+0100    INFO    Vulnerability scanning is enabled
2022-08-07T19:49:13.533+0100    INFO    Secret scanning is enabled
2022-08-07T19:49:13.533+0100    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-07T19:49:13.533+0100    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-08-07T19:49:13.544+0100    INFO    Number of language-specific files: 1
2022-08-07T19:49:13.544+0100    INFO    Detecting rustbinary vulnerabilities...
{
  "SchemaVersion": 2,
  "ArtifactName": "cargo-auditable-example:hyper-vuln",
  "ArtifactType": "container_image",
  "Metadata": {
    "ImageID": "sha256:067d2a31048bd3172327db73ba8e896903dcde9b45e50b8237640ea649329e3a",
    "DiffIDs": [
      "sha256:17a414b8ab7739963ccd9d3092d31514eca8c35974e3b3c737461e2e8a6044aa"
    ],
    "RepoTags": [
      "cargo-auditable-example:hyper-vuln"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "created": "2022-08-07T18:46:25.590634382Z",
      "history": [
        {
          "created": "2022-08-07T18:46:25Z",
          "created_by": "COPY audit-example / # buildkit",
          "comment": "buildkit.dockerfile.v0"
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:17a414b8ab7739963ccd9d3092d31514eca8c35974e3b3c737461e2e8a6044aa"
        ]
      },
      "config": {
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "WorkingDir": "/"
      }
    }
  },
  "Results": [
    {
      "Target": "audit-example",
      "Class": "vuln-lang-pkgs",
      "Type": "rustbinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2022-23639",
          "PkgName": "crossbeam-utils",
          "InstalledVersion": "0.7.2",
          "FixedVersion": "0.8.7",
          "Layer": {
            "DiffID": "sha256:17a414b8ab7739963ccd9d3092d31514eca8c35974e3b3c737461e2e8a6044aa"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23639",
          "DataSource": {
            "ID": "osv",
            "Name": "RustSec Advisory Database",
            "URL": "https://github.com/RustSec/advisory-db"
          },
          "Title": "crossbeam-utils provides atomics, synchronization primitives, scoped t ...",
          "Description": "crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that the alignment of `{i,u}64` was always the same as `Atomic{I,U}64`. However, the alignment of `{i,u}64` on a 32-bit target can be smaller than `Atomic{I,U}64`. This can cause unaligned memory accesses and data race. Crates using `fetch_*` methods with `AtomicCell\u003c{i,u}64\u003e` are affected by this issue. 32-bit targets without `Atomic{I,U}64` and 64-bit targets are not affected by this issue. This has been fixed in crossbeam-utils 0.8.7. There are currently no known workarounds.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-362"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V2Score": 6.8,
              "V3Score": 8.1
            }
          },
          "References": [
            "https://crates.io/crates/crossbeam-utils",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23639",
            "https://github.com/crossbeam-rs/crossbeam/pull/781",
            "https://github.com/crossbeam-rs/crossbeam/releases/tag/crossbeam-utils-0.8.7",
            "https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926",
            "https://rustsec.org/advisories/RUSTSEC-2022-0041.html"
          ],
          "PublishedDate": "2022-02-15T19:15:00Z",
          "LastModifiedDate": "2022-06-09T16:15:00Z"
        },
        {
          "VulnerabilityID": "CVE-2020-35863",
          "PkgName": "hyper",
          "InstalledVersion": "0.11.27",
          "FixedVersion": "0.12.34",
          "Layer": {
            "DiffID": "sha256:17a414b8ab7739963ccd9d3092d31514eca8c35974e3b3c737461e2e8a6044aa"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-35863",
          "DataSource": {
            "ID": "osv",
            "Name": "RustSec Advisory Database",
            "URL": "https://github.com/RustSec/advisory-db"
          },
          "Title": "An issue was discovered in the hyper crate before 0.12.34 for Rust. HT ...",
          "Description": "An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request smuggling can occur. Remote code execution can occur in certain situations with an HTTP server on the loopback interface.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-94"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V2Score": 7.5,
              "V3Score": 9.8
            }
          },
          "References": [
            "https://crates.io/crates/hyper",
            "https://github.com/hyperium/hyper/issues/1925",
            "https://rustsec.org/advisories/RUSTSEC-2020-0008.html"
          ],
          "PublishedDate": "2020-12-31T10:15:00Z",
          "LastModifiedDate": "2021-07-21T11:39:00Z"
        },
        {
          "VulnerabilityID": "CVE-2021-32714",
          "PkgName": "hyper",
          "InstalledVersion": "0.11.27",
          "FixedVersion": "0.14.10",
          "Layer": {
            "DiffID": "sha256:17a414b8ab7739963ccd9d3092d31514eca8c35974e3b3c737461e2e8a6044aa"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-32714",
          "DataSource": {
            "ID": "osv",
            "Name": "RustSec Advisory Database",
            "URL": "https://github.com/RustSec/advisory-db"
          },
          "Title": "hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper ...",
          "Description": "hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in \"request smuggling\" or \"desync attacks.\" The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a `Transfer-Encoding` header or ensure any upstream proxy rejects `Transfer-Encoding` chunk sizes greater than what fits in 64-bit unsigned integers.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-190"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
              "V2Score": 6.4,
              "V3Score": 9.1
            }
          },
          "References": [
            "https://crates.io/crates/hyper",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32714",
            "https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9",
            "https://rustsec.org/advisories/RUSTSEC-2021-0079.html"
          ],
          "PublishedDate": "2021-07-07T20:15:00Z",
          "LastModifiedDate": "2021-07-22T12:40:00Z"
        },
        {
          "VulnerabilityID": "CVE-2021-45710",
          "PkgName": "tokio",
          "InstalledVersion": "0.1.22",
          "FixedVersion": "1.8.4, 1.13.1",
          "Layer": {
            "DiffID": "sha256:17a414b8ab7739963ccd9d3092d31514eca8c35974e3b3c737461e2e8a6044aa"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-45710",
          "DataSource": {
            "ID": "osv",
            "Name": "RustSec Advisory Database",
            "URL": "https://github.com/RustSec/advisory-db"
          },
          "Title": "An issue was discovered in the tokio crate before 1.8.4, and 1.9.x thr ...",
          "Description": "An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-362"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V2Score": 5.1,
              "V3Score": 8.1
            }
          },
          "References": [
            "https://crates.io/crates/tokio",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45710",
            "https://github.com/tokio-rs/tokio/issues/4225",
            "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tokio/RUSTSEC-2021-0124.md",
            "https://rustsec.org/advisories/RUSTSEC-2021-0124.html"
          ],
          "PublishedDate": "2021-12-27T00:15:00Z",
          "LastModifiedDate": "2022-01-06T20:57:00Z"
        }
      ]
    }
  ]
}

I based this on the existing golang binary support including unit tests. I wasn't sure what to add for integration tests - it looks like I'd need a trivy maintainer to add an image to ghcr.io/aquasecurity/trivy-test-images?

Related issues

Remove this section if you don't have related PRs.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • [] I've added tests that prove my fix is effective or that my feature works. (not ticked due to integration test question above)
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

for Rust binaries built with cargo-auditable

Signed-off-by: Tom Fay <[email protected]>
@tofay tofay requested a review from knqyf263 as a code owner August 7, 2022 19:02
@knqyf263
Copy link
Collaborator

knqyf263 commented Aug 9, 2022

Thanks. LGTM.
@DmitriyLewen Could you scan Rust binaries?

@DmitriyLewen
Copy link
Contributor

@knqyf263 I built and checked several rust binaries from GitHub Trending.
It works correctly. I didn't find problem.

@tofay i found that docs contain Rust field twice.
Снимок экрана от 2022-08-10 10-16-29
Also need run go mod tidy again.

The rest LGTM. Nice work!

@tofay
Copy link
Contributor Author

tofay commented Aug 10, 2022

Thanks, I've resolved the conflict in go.sum and removed the duplicate "Rust" mention from the documentation.

@DmitriyLewen
Copy link
Contributor

Cool! Thanks!

@knqyf263 knqyf263 merged commit 517d2e0 into aquasecurity:main Aug 10, 2022
@knqyf263
Copy link
Collaborator

Great. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

feat(rust): support scanning of binaries with cargo-auditable
3 participants