Check partial image names when validating default branch image
What does this MR do and why?
This MR fixes problem with validation of default branch image value returned by container_scanning
analyzer. To generate location fingerprint value we are taking base image value (without tag
/version
after :
), but to verify if we can use given default_branch_image
value we are checking whole image.
Migrations
main: == 20220915192521 AddTrigramIndexForVulnerabilityReadsContainerImages: migrating
main: -- transaction_open?()
main: -> 0.0000s
main: -- index_exists?(:vulnerability_reads, :location_image, {:name=>"index_vulnerability_reads_on_location_image_trigram", :using=>:gin, :opclass=>{:location_image=>:gin_trgm_ops}, :where=>"report_type = ANY (ARRAY[2, 7]) AND location_image IS NOT NULL", :algorithm=>:concurrently})
main: -> 0.0106s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0004s
main: -- add_index(:vulnerability_reads, :location_image, {:name=>"index_vulnerability_reads_on_location_image_trigram", :using=>:gin, :opclass=>{:location_image=>:gin_trgm_ops}, :where=>"report_type = ANY (ARRAY[2, 7]) AND location_image IS NOT NULL", :algorithm=>:concurrently})
main: -> 0.0388s
main: -- execute("RESET statement_timeout")
main: -> 0.0008s
main: == 20220915192521 AddTrigramIndexForVulnerabilityReadsContainerImages: migrated (0.0591s)
ci: == 20220915192521 AddTrigramIndexForVulnerabilityReadsContainerImages: migrating
ci: -- transaction_open?()
ci: -> 0.0000s
ci: -- index_exists?(:vulnerability_reads, :location_image, {:name=>"index_vulnerability_reads_on_location_image_trigram", :using=>:gin, :opclass=>{:location_image=>:gin_trgm_ops}, :where=>"report_type = ANY (ARRAY[2, 7]) AND location_image IS NOT NULL", :algorithm=>:concurrently})
ci: -> 0.0074s
ci: -- execute("SET statement_timeout TO 0")
ci: -> 0.0003s
ci: -- add_index(:vulnerability_reads, :location_image, {:name=>"index_vulnerability_reads_on_location_image_trigram", :using=>:gin, :opclass=>{:location_image=>:gin_trgm_ops}, :where=>"report_type = ANY (ARRAY[2, 7]) AND location_image IS NOT NULL", :algorithm=>:concurrently})
ci: -> 0.0066s
ci: -- execute("RESET statement_timeout")
ci: -> 0.0002s
ci: == 20220915192521 AddTrigramIndexForVulnerabilityReadsContainerImages: migrated (0.0190s)
main: == 20220915192521 AddTrigramIndexForVulnerabilityReadsContainerImages: reverting
main: -- transaction_open?()
main: -> 0.0000s
main: -- indexes(:vulnerability_reads)
main: -> 0.0067s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0002s
main: -- remove_index(:vulnerability_reads, {:algorithm=>:concurrently, :name=>"index_vulnerability_reads_on_location_image_trigram"})
main: -> 0.0028s
main: -- execute("RESET statement_timeout")
main: -> 0.0003s
main: == 20220915192521 AddTrigramIndexForVulnerabilityReadsContainerImages: reverted (0.0166s)
ci: == 20220915192521 AddTrigramIndexForVulnerabilityReadsContainerImages: reverting
ci: -- transaction_open?()
ci: -> 0.0000s
ci: -- indexes(:vulnerability_reads)
ci: -> 0.0153s
ci: -- execute("SET statement_timeout TO 0")
ci: -> 0.0007s
ci: -- remove_index(:vulnerability_reads, {:algorithm=>:concurrently, :name=>"index_vulnerability_reads_on_location_image_trigram"})
ci: -> 0.0028s
ci: -- execute("RESET statement_timeout")
ci: -> 0.0002s
ci: == 20220915192521 AddTrigramIndexForVulnerabilityReadsContainerImages: reverted (0.0256s)
Queries
explain SELECT 1 AS one FROM "vulnerability_reads" WHERE "vulnerability_reads"."project_id" = 15 AND "vulnerability_reads"."report_type" = 2 AND "vulnerability_reads"."location_image" ILIKE 'quay';
Time: 25.029 ms
- planning: 8.703 ms
- execution: 16.326 ms
- I/O read: 15.952 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 3 (~24.00 KiB) from the buffer pool
- reads: 4 (~32.00 KiB) from the OS file cache, including disk I/O
- dirtied: 0
- writes: 0
Details and visualization: https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/12183/commands/43257.
How to set up and validate locally
Example below:
-
Create new project
-
Add new files:
-
.gitlab-ci.yml
container_scanning: image: "busybox:latest" stage: test script: - echo "test" artifacts: reports: container_scanning: gl-container-scanning-report.json paths: [gl-container-scanning-report.json]
-
gl-container-scanning-report.json
{ "vulnerabilities":[ { "id":"2562abadf0eff0a7f858ec8ddfd2abebd0612d99", "description":"It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", "severity":"Low", "solution":"No solution provided", "location":{ "dependency":{ "package":{ "name":"apt" }, "version":"2.2.4" }, "operating_system":"debian 11.4", "image":"registry.gitlab.com/gitlab-org/govern/demos/sandbox/my-notes-2/main:9a72db4fc0d0582731d9e9797f28e24b3e6fe71a", "default_branch_image":"registry.gitlab.com/gitlab-org/govern/demos/sandbox/my-notes-2/main:9a72db4fc0d0582731d9e9797f28e24b3e6fe71a" }, "identifiers":[ { "type":"cve", "name":"CVE-2011-3374", "value":"CVE-2011-3374", "url":"https://access.redhat.com/security/cve/cve-2011-3374" } ], "links":[ { "url":"https://access.redhat.com/security/cve/cve-2011-3374" }, { "url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480" }, { "url":"https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html" }, { "url":"https://seclists.org/fulldisclosure/2011/Sep/221" }, { "url":"https://security-tracker.debian.org/tracker/CVE-2011-3374" }, { "url":"https://snyk.io/vuln/SNYK-LINUX-APT-116518" }, { "url":"https://ubuntu.com/security/CVE-2011-3374" } ] } ], "remediations":[], "scan":{ "scanner":{ "id":"trivy", "name":"Trivy", "url":"https://github.com/aquasecurity/trivy/", "vendor":{ "name":"GitLab" }, "version":"0.31.2" }, "analyzer":{ "id":"gcs", "name":"GitLab Container Scanning", "vendor":{ "name":"GitLab" }, "version":"5.1.20" }, "type":"container_scanning", "start_time":"2022-09-12T07:29:18", "end_time":"2022-09-12T07:29:39", "status":"success" }, "version":"15.0.6" }
-
-
Create new MR with change:
diff --git a/gl-container-scanning-report.json b/gl-container-scanning-report.json index 44d68dc..26d98ae 100644 --- a/gl-container-scanning-report.json +++ b/gl-container-scanning-report.json @@ -13,8 +13,8 @@ "version":"2.2.4" }, "operating_system":"debian 11.4", - "image":"registry.gitlab.com/gitlab-org/govern/demos/sandbox/my-notes-2/main:9a72db4fc0d0582731d9e9797f28e24b3e6fe71a", - "default_branch_image":"registry.gitlab.com/gitlab-org/govern/demos/sandbox/my-notes-2/main:9a72db4fc0d0582731d9e9797f28e24b3e6fe71a" + "image":"registry.gitlab.com/gitlab-org/govern/demos/sandbox/my-notes-2/new-mr:64cb8bf074451125da000954975bb8adc8fbdf39", + "default_branch_image":"registry.gitlab.com/gitlab-org/govern/demos/sandbox/my-notes-2/main:64cb8bf074451125da000954975bb8adc8fbdf39" }, "identifiers":[ {
-
Take a look at Security Widget, it should show Container scanning detected no new vulnerabilities. message:
Testing
I've confirmed this change locally:
-
Before change:
MR widget shows new vulnerabilities if image path is changed:
-
After change:
MR widget does not show new vulnerabilities if image path is changed:
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #373455 (closed)