Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE bin tool integration, VEX support -> F20 replacement #1452

Open
wants to merge 42 commits into
base: master
Choose a base branch
from
Open

CVE bin tool integration, VEX support -> F20 replacement #1452

wants to merge 42 commits into from

Conversation

m-1-k-3
Copy link
Member

@m-1-k-3 m-1-k-3 commented Feb 2, 2025
edited
Loading

  • What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

Feature

  • What is the current behavior? (You can also link to an open issue here)

F20 quite slow
No VEX support

  • What is the new behavior (if this is a feature change)? If possible add a screenshot.
  • cve-bin-tool main integration - closes cve-bin-tool supported #1439
  • temp patching of cve-bin-tool (see https://github.com/EMBA-support-repos/cve-bin-tool)
  • installer integration
  • build new docker base image
  • JSON builder for VEX
  • s118 integration
  • s26 fixes and integration
  • VEX integration into main SBOM
  • Make our VEX BSI compliant
  • further VEX and F17 configuration via scan profiles (enable/disable addon metrics like EPSS, KEV, Exploits)
  • remove F20 completely
  • Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)

This will replace the current F20 module

  • Other information:

docker base image 1.5.1d needed
Currently work in progress
read only filesystem of our current docker base image is currently not working with cve-bin-tool

@m-1-k-3 m-1-k-3 added enhancement New feature or request docker docker related things EMBArk Installation Installation issues cve-search Some cve-search question/issue in progress Someone is working on this EMBA SBOM SBOM related issues labels Feb 2, 2025
@m-1-k-3 m-1-k-3 mentioned this pull request Feb 3, 2025
Closed
@m-1-k-3
Copy link
Member Author

m-1-k-3 commented Feb 4, 2025

initial test results:

[*] Tue Feb  4 08:44:38 CET 2025 - F17_cve_bin_tool starting
[*] Tue Feb  4 09:20:07 CET 2025 - F17_cve_bin_tool finished
[*] Tue Feb  4 09:20:07 CET 2025 - F20_vul_aggregator starting
[*] Tue Feb  4 11:00:00 CET 2025 - F20_vul_aggregator finished

35minutes vs 1h:40minutes ... Feel free to test

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 4, 2025
View reviewed changes
modules/F17_cve_bin_tool.sh Fixed Show fixed Hide fixed
@m-1-k-3
Copy link
Member Author

m-1-k-3 commented Feb 4, 2025

VEX data can be viewed in the SBOM directory:

└─$ jq . ~/firmware-analysis/emba_logs_test1/SBOM/EMBA_sbom_vex_only.json

Currently it is not integrated into the final SBOM. Will come soon.

image

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 6, 2025
View reviewed changes
modules/S118_busybox_verifier.sh Fixed Show fixed Hide fixed
modules/S118_busybox_verifier.sh Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 8, 2025
View reviewed changes
modules/F17_cve_bin_tool.sh Fixed Show fixed Hide fixed
modules/F17_cve_bin_tool.sh Fixed Show fixed Hide fixed
modules/F17_cve_bin_tool.sh Fixed Show fixed Hide fixed
@m-1-k-3 m-1-k-3 changed the title CVE bin tool integration -> F20 replacement CVE bin tool integration, VEX support -> F20 replacement Feb 8, 2025
@m-1-k-3 m-1-k-3 mentioned this pull request Feb 9, 2025
Open
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 11, 2025
View reviewed changes
modules/S118_busybox_verifier.sh Fixed Show fixed Hide fixed
modules/S118_busybox_verifier.sh
lVERIFIED_BB_CVE="${lVERIFIED_BB_CVE//;}"
local lV_ENTRY="(V)"
# ensure we have the correct length
lV_ENTRY=$(printf '%s%*s' ${lV_ENTRY} $((19-${#lVERIFIED_BB_CVE}-${#lV_ENTRY})))

Check notice

Code scanning / Shellcheck (reported by Codacy)

This format string has 3 variables, but is passed 2 arguments. Note

This format string has 3 variables, but is passed 2 arguments.
modules/S26_kernel_vuln_verifier.sh Fixed Show fixed Hide fixed
modules/S26_kernel_vuln_verifier.sh
print_output "[*] Replacing ${lVERIFIED_BB_CVE} in ${LOG_PATH_MODULE}/cve_sum/*_finished.txt" "no_log"
local lV_ENTRY="(V)"
# ensure we have the correct length
lV_ENTRY=$(printf '%s%*s' ${lV_ENTRY} $((19-${#lVERIFIED_BB_CVE}-${#lV_ENTRY})))

Check notice

Code scanning / Shellcheck (reported by Codacy)

This format string has 3 variables, but is passed 2 arguments. Note

This format string has 3 variables, but is passed 2 arguments.
@m-1-k-3
Copy link
Member Author

m-1-k-3 commented Feb 11, 2025
edited
Loading

F17 looks quite good and generates a vex only json and integrates the vex data also into the SBOM:

image

The original CycloneDX SBOM is as before available without VEX data in f15.

Currently we are not passing the BSI check. Looks as we have some little issues in our JSON. This needs further investigations.

@m-1-k-3
Copy link
Member Author

m-1-k-3 commented Feb 11, 2025
edited
Loading

Not too bad :)

└─$ ~/github-repos/sbomqs-linux-amd64 score /home/m1k3/firmware-analysis/emba_logs_test1/SBOM/EMBA_cyclonedx_vex_sbom.json -b
7.6     cdx     1.5     json    /home/m1k3/firmware-analysis/emba_logs_test1/SBOM/EMBA_cyclonedx_vex_sbom.json

└─$ ~/github-repos/sbomqs-linux-amd64 score /home/m1k3/firmware-analysis/emba_logs_test1/SBOM/EMBA_cyclonedx_vex_sbom.json   
SBOM Quality by Interlynk Score:7.6     components:22   /home/m1k3/firmware-analysis/emba_logs_test1/SBOM/EMBA_cyclonedx_vex_sbom.json
+-----------------------+--------------------------------+-----------+--------------------------------+
|       CATEGORY        |            FEATURE             |   SCORE   |              DESC              |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | comp_with_name                 | 10.0/10.0 | 22/22 have names               |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_supplier             | 0.0/10.0  | 0/22 have supplier names       |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_uniq_ids             | 10.0/10.0 | 22/22 have unique ID's         |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_version              | 9.5/10.0  | 21/22 have versions            |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_authors                   | 10.0/10.0 | doc has 1 authors              |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_creation_timestamp        | 10.0/10.0 | doc has creation timestamp     |
|                       |                                |           | 2025-02-11T15:46:38+01:00      |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_dependencies              | 0.0/10.0  | doc has 0 dependencies         |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Quality               | comp_valid_licenses            | 3.2/10.0  | 7/22 components with valid     |
|                       |                                |           | license                        |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_any_vuln_lookup_id   | 9.5/10.0  | 21/22 components have any      |
|                       |                                |           | lookup id                      |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_deprecated_licenses  | 10.0/10.0 | 0/22 components have           |
|                       |                                |           | deprecated licenses            |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_multi_vuln_lookup_id | 0.0/10.0  | 0/22 components have multiple  |
|                       |                                |           | lookup id                      |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_primary_purpose      | 9.5/10.0  | 21/22 components have primary  |
|                       |                                |           | purpose specified              |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_restrictive_licenses | 10.0/10.0 | 0/22 components have           |
|                       |                                |           | restricted licenses            |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_with_creator_and_version  | 10.0/10.0 | 1/1 tools have creator and     |
|                       |                                |           | version                        |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_with_primary_component    | 10.0/10.0 | primary component found        |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Semantic              | comp_with_checksums            | 10.0/10.0 | 22/22 have checksums           |
+                       +--------------------------------+-----------+--------------------------------+
|                       | comp_with_licenses             | 3.6/10.0  | 8/22 have licenses             |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_required_fields           | 10.0/10.0 | Doc Fields:true Pkg            |
|                       |                                |           | Fields:true                    |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Sharing               | sbom_sharable                  | 0.0/10.0  | doc has a sharable license     |
|                       |                                |           | free 0 :: of 0                 |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Structural            | sbom_parsable                  | 10.0/10.0 | provided sbom is parsable      |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_spec                      | 10.0/10.0 | provided sbom is in a          |
|                       |                                |           | supported sbom format of       |
|                       |                                |           | spdx,cyclonedx                 |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_spec_file_format          | 10.0/10.0 | provided sbom should be in     |
|                       |                                |           | supported file format for      |
|                       |                                |           | spec: json and version:        |
|                       |                                |           | json,xml                       |
+                       +--------------------------------+-----------+--------------------------------+
|                       | sbom_spec_version              | 10.0/10.0 | provided sbom should be        |
|                       |                                |           | in supported spec version      |
|                       |                                |           | for spec:1.5 and versions:     |
|                       |                                |           | 1.0,1.1,1.2,1.3,1.4,1.5,1.6    |
+-----------------------+--------------------------------+-----------+--------------------------------+

And finally BSI compliance

└─$ ~/github-repos/sbomqs-linux-amd64 compliance --bsi /home/m1k3/firmware-analysis/emba_logs_test1/SBOM/EMBA_cyclonedx_vex_sbom.json -b
BSI TR-03183-2 v1.1 Compliance Report
Score:4.0 RequiredScore:5.6 OptionalScore:2.4 for /home/m1k3/firmware-analysis/emba_logs_test1/SBOM/EMBA_cyclonedx_vex_sbom.json

@m-1-k-3 m-1-k-3 removed the in progress Someone is working on this label Feb 11, 2025
@m-1-k-3
Copy link
Member Author

m-1-k-3 commented Feb 11, 2025

I think everything is in place to find further bugs ... please give it a try @BenediktMKuehne @beruhan @torabi12 @hands0meware @busby666 and others :)

@m-1-k-3 m-1-k-3 marked this pull request as ready for review February 11, 2025 15:30
@m-1-k-3
Copy link
Member Author

m-1-k-3 commented Feb 11, 2025

The main performance boost can be seen if you enable/disable the VEX_METRICS parameter in the scan profiles:

  • VEX_METRICS=1:
[*] Tue Feb 11 22:08:08 CET 2025 - F17_cve_bin_tool starting
[*] Tue Feb 11 22:18:22 CET 2025 - F17_cve_bin_tool finished
[!] Tue Feb 11 22:18:27 CET 2025 - Test ended on Tue Feb 11 22:18:27 CET 2025 and took about 0 days and 00:19:32
  • VEX_METRICS=0:
[*] Tue Feb 11 21:37:16 CET 2025 - F17_cve_bin_tool starting
[*] Tue Feb 11 21:38:53 CET 2025 - F17_cve_bin_tool finished
[!] Tue Feb 11 21:38:55 CET 2025 - Test ended on Tue Feb 11 21:38:55 CET 2025 and took about 0 days and 00:07:43

On the other hand you will loose all the exploit details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cve-search Some cve-search question/issue docker docker related things EMBA EMBArk enhancement New feature or request Installation Installation issues SBOM SBOM related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@m-1-k-3