Skip to content

Latest commit

 

History

History
431 lines (402 loc) · 17 KB

COSIGN_VULN_ATTESTATION_SPEC.md

File metadata and controls

431 lines (402 loc) · 17 KB

Cosign Vulnerability Scan Record Attestation Specification

Cosign is heavily using In-toto Attestations predicate models in its own codebase. But this is not the only option you have while working with predicates in cosign. Cosign already defines its own predicates: Generic Predicate Specification. This Vulnerability Scan attestation is one of them.

Let's talk a bit about the history of this specification. We first mentioned this idea in in-toto attestation repository. So many people interested in this issue, and shared ideas about which parts are necessary which parts are not to make that specification well-purposed. There is an also cross issue on cosign side that we discussed on it.

And the final format for this is defined as follows:

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "subject": [
    {
      ...
    }
  ],
  // Predicate:
  "predicateType": "cosign.sigstore.dev/attestation/vuln/v1",
  "predicate": {
    "invocation": {
      "parameters": [],
      // [ "--format=json", "--skip-db-update" ]
      "uri": "",
      // https://github.com/developer-guy/alpine/actions/runs/1071875574
      "event_id": "",
      // 1071875574
      "builder.id": ""
      // GitHub Actions
    },
    "scanner": {
      "uri": "",
      // pkg:github/aquasecurity/trivy@244fd47e07d1004f0aed9
      "version": "",
      // 0.19.2
      "db": {
        "uri": "",
        // pkg:github/aquasecurity/trivy-db/commit/4c76bb580b2736d67751410fa4ab66d2b6b9b27d
        "version": ""
        // "v1-2021080612"
      },
      "result": {}
    },
    "metadata": {
      "scanStartedOn": "",
      // 2021-08-06T17:45:50.52Z
      "scanFinishedOn": ""
      // 2021-08-06T17:50:50.52Z
    }
  }
}

Fields

scanner

There are lots of container image scanners such as Trivy, Grype, Clair, etc. This field describes which scanner is used while performing a container image scan, as well as version information and which Vulnerability DB is used.

scanner.uri string (ResourceURI), optional

URI indicating the identity of the source of the scanner.

scanner.version string (ResourceURI), optional

The version of the scanner.

scanner.db.uri string (ResourceURI), optional

URI indicating the identity of the source of the Vulnerability DB.

scanner.db.version string, optional

The version of the Vulnerability DB.

scanner.result object

This is the most important part of this field because it'll store the scan result as a whole. So, people might want to use this field to take decisions based on them by making use of Policy Engines tooling whether allow or deny these images.

metadata.buildStartedOn string (Timestamp), required

The timestamp of when the build started.

metadata.buildFinishedOn string (Timestamp), required

The timestamp of when the build completed.

$ trivy image -f json alpine:3.12
Scan Result
{
  "SchemaVersion": 2,
  "ArtifactName": "alpine:3.12",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.12.9"
    },
    "ImageID": "sha256:b0925e0819214cd29937af66dbaf0e6fe239997faea60922cc890f9984512507",
    "DiffIDs": [
      "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7"
    ],
    "RepoTags": [
      "alpine:3.12"
    ],
    "RepoDigests": [
      "alpine@sha256:d9459083f962de6bd980ae6a05be2a4cf670df6a1d898157bceb420342bec280"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "container": "385e1cc96cc7482dfb6847e293bb24baecd3f48a49791b9b45e297204b160287",
      "created": "2021-11-12T17:20:08.442217528Z",
      "docker_version": "20.10.7",
      "history": [
        {
          "created": "2021-11-12T17:20:08.190319702Z",
          "created_by": "/bin/sh -c #(nop) ADD file:8f5bc5ce64ef781adadca88e4004e17affc72e6f20dbd08b9c478def12fe1dd3 in / "
        },
        {
          "created": "2021-11-12T17:20:08.442217528Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
          "empty_layer": true
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7"
        ]
      },
      "config": {
        "Cmd": [
          "/bin/sh"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "Image": "sha256:7d1c1e4b291dc9519b43a2b9c9330655927f6dfde90d36ef5fd16b2ae0f28bbc"
      }
    }
  },
  "Results": [
    {
      "Target": "alpine:3.12 (alpine 3.12.9)",
      "Class": "os-pkgs",
      "Type": "alpine",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2021-28831",
          "PkgName": "busybox",
          "InstalledVersion": "1.31.1-r21",
          "FixedVersion": "1.32.1-r4",
          "Layer": {
            "Digest": "sha256:8572bc8fb8a32061648dd183b2c0451c82be1bd053a4ea8fae991436b92faebb",
            "DiffID": "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831",
          "Title": "busybox: invalid free or segmentation fault via malformed gzip data",
          "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-755"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V2Score": 5,
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
            "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd",
            "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/",
            "https://security.gentoo.org/glsa/202105-09",
            "https://ubuntu.com/security/notices/USN-5179-1"
          ],
          "PublishedDate": "2021-03-19T05:15:00Z",
          "LastModifiedDate": "2021-05-26T10:15:00Z"
        },
        {
          "VulnerabilityID": "CVE-2021-28831",
          "PkgName": "ssl_client",
          "InstalledVersion": "1.31.1-r21",
          "FixedVersion": "1.32.1-r4",
          "Layer": {
            "Digest": "sha256:8572bc8fb8a32061648dd183b2c0451c82be1bd053a4ea8fae991436b92faebb",
            "DiffID": "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831",
          "Title": "busybox: invalid free or segmentation fault via malformed gzip data",
          "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-755"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V2Score": 5,
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
            "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd",
            "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/",
            "https://security.gentoo.org/glsa/202105-09",
            "https://ubuntu.com/security/notices/USN-5179-1"
          ],
          "PublishedDate": "2021-03-19T05:15:00Z",
          "LastModifiedDate": "2021-05-26T10:15:00Z"
        }
      ]
    }
  ]
}

Here is an example predicate containing a vulnerability scan result above:

{
  "predicate": {
    "invocation": {
      "parameters": [
        "--format=json"
      ],
      "uri": "https://github.com/developer-guy/alpine/actions/runs/1071875574",
      "event_id": "1071875574",
      "builder.id": "github actions"
    },
    "scanner": {
      "uri": "pkg:github/aquasecurity/trivy@244fd47e07d1004f0aed9",
      "version": "0.19.2",
      "db": {
        "uri": "pkg:github/aquasecurity/trivy-db/commit/4c76bb580b2736d67751410fa4ab66d2b6b9b27d",
        "version": "v1-2021080612"
      },
      "result": {
        "SchemaVersion": 2,
        "ArtifactName": "alpine:3.12",
        "ArtifactType": "container_image",
        "Metadata": {
          "OS": {
            "Family": "alpine",
            "Name": "3.12.9"
          },
          "ImageID": "sha256:b0925e0819214cd29937af66dbaf0e6fe239997faea60922cc890f9984512507",
          "DiffIDs": [
            "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7"
          ],
          "RepoTags": [
            "alpine:3.12"
          ],
          "RepoDigests": [
            "alpine@sha256:d9459083f962de6bd980ae6a05be2a4cf670df6a1d898157bceb420342bec280"
          ],
          "ImageConfig": {
            "architecture": "amd64",
            "container": "385e1cc96cc7482dfb6847e293bb24baecd3f48a49791b9b45e297204b160287",
            "created": "2021-11-12T17:20:08.442217528Z",
            "docker_version": "20.10.7",
            "history": [
              {
                "created": "2021-11-12T17:20:08.190319702Z",
                "created_by": "/bin/sh -c #(nop) ADD file:8f5bc5ce64ef781adadca88e4004e17affc72e6f20dbd08b9c478def12fe1dd3 in / "
              },
              {
                "created": "2021-11-12T17:20:08.442217528Z",
                "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
                "empty_layer": true
              }
            ],
            "os": "linux",
            "rootfs": {
              "type": "layers",
              "diff_ids": [
                "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7"
              ]
            },
            "config": {
              "Cmd": [
                "/bin/sh"
              ],
              "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
              ],
              "Image": "sha256:7d1c1e4b291dc9519b43a2b9c9330655927f6dfde90d36ef5fd16b2ae0f28bbc"
            }
          }
        },
        "Results": [
          {
            "Target": "alpine:3.12 (alpine 3.12.9)",
            "Class": "os-pkgs",
            "Type": "alpine",
            "Vulnerabilities": [
              {
                "VulnerabilityID": "CVE-2021-28831",
                "PkgName": "busybox",
                "InstalledVersion": "1.31.1-r21",
                "FixedVersion": "1.32.1-r4",
                "Layer": {
                  "Digest": "sha256:8572bc8fb8a32061648dd183b2c0451c82be1bd053a4ea8fae991436b92faebb",
                  "DiffID": "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7"
                },
                "SeveritySource": "nvd",
                "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831",
                "Title": "busybox: invalid free or segmentation fault via malformed gzip data",
                "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.",
                "Severity": "HIGH",
                "CweIDs": [
                  "CWE-755"
                ],
                "CVSS": {
                  "nvd": {
                    "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                    "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                    "V2Score": 5,
                    "V3Score": 7.5
                  },
                  "redhat": {
                    "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                    "V3Score": 7.5
                  }
                },
                "References": [
                  "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
                  "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd",
                  "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html",
                  "https://lists.fedoraproject.org/archives/list/[email protected]/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/",
                  "https://lists.fedoraproject.org/archives/list/[email protected]/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/",
                  "https://lists.fedoraproject.org/archives/list/[email protected]/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/",
                  "https://security.gentoo.org/glsa/202105-09",
                  "https://ubuntu.com/security/notices/USN-5179-1"
                ],
                "PublishedDate": "2021-03-19T05:15:00Z",
                "LastModifiedDate": "2021-05-26T10:15:00Z"
              },
              {
                "VulnerabilityID": "CVE-2021-28831",
                "PkgName": "ssl_client",
                "InstalledVersion": "1.31.1-r21",
                "FixedVersion": "1.32.1-r4",
                "Layer": {
                  "Digest": "sha256:8572bc8fb8a32061648dd183b2c0451c82be1bd053a4ea8fae991436b92faebb",
                  "DiffID": "sha256:eb4bde6b29a6746e0779f80a09ca6f0806de61475059f7d56d6e20f6cc2e15f7"
                },
                "SeveritySource": "nvd",
                "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-28831",
                "Title": "busybox: invalid free or segmentation fault via malformed gzip data",
                "Description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.",
                "Severity": "HIGH",
                "CweIDs": [
                  "CWE-755"
                ],
                "CVSS": {
                  "nvd": {
                    "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                    "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                    "V2Score": 5,
                    "V3Score": 7.5
                  },
                  "redhat": {
                    "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                    "V3Score": 7.5
                  }
                },
                "References": [
                  "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
                  "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd",
                  "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html",
                  "https://lists.fedoraproject.org/archives/list/[email protected]/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/",
                  "https://lists.fedoraproject.org/archives/list/[email protected]/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/",
                  "https://lists.fedoraproject.org/archives/list/[email protected]/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/",
                  "https://security.gentoo.org/glsa/202105-09",
                  "https://ubuntu.com/security/notices/USN-5179-1"
                ],
                "PublishedDate": "2021-03-19T05:15:00Z",
                "LastModifiedDate": "2021-05-26T10:15:00Z"
              }
            ]
          }
        ]
      }
    },
    "metadata": {
      "scanStartedOn": "2021-08-06T17:45:50.52Z",
      "scanFinishedOn": "2021-08-06T17:50:50.52Z"
    }
  }
}