Add cve detection

Signed-off-by: Christian Dupuis <[email protected]>

Author: cdupuis

README.md

@@ -1,3 +1,5 @@
+**Note:** This repository is not an officially supported Docker project.
+
 # `docker index` Docker CLI plugin
 
 Docker CLI plugin to create image SBOMs as well as analyze packages for known vulnerabilities 
@@ -21,12 +23,25 @@ Alternatively, you can install manually by following these steps:
 
 ### `docker index sbom`
 
-To detect base images for local or remote images, use the following command:
+To create an SBOM for a local or remote image, run the following command:
 
 ```shell
 $ docker index sbom --image <IMAGE> 
 ```
 
-`<IMAGE>` can either be a local image id or fully qualified image name from a remote registry.
+* `--image <IMAGE>` can either be a local image id or fully qualified image name from a remote registry
+* `--oci-dir <DIR>` can point to a local image in OCI directory format
+* `--output <OUTPUT FILE>` allows to store the generated SBOM in a local file
+* `--include-cves` will include all detected CVEs in generated output
+
+### `docker index cve`
+
+To detect base images for local or remote images, use the following command:
+
+```shell
+$ docker index cve --image <IMAGE> CVE_ID 
+```
 
-`--output <OUTPUT FILE>` allows to store the generated SBOM in a local file.
+* `--image <IMAGE>` can either be a local image id or fully qualified image name from a remote registry
+* `--oci-dir <DIR>` can point to a local image in OCI directory format
+* `CVE_ID` can be any known CVE id

main.go

@@ -44,7 +44,7 @@ func main() {
 
 		var (
 			output, ociDir, image, workspace string
-			apiKeyStdin, includeVulns        bool
+			apiKeyStdin, includeCves         bool
 		)
 
 		logoutCommand := &cobra.Command{
@@ -97,10 +97,10 @@ func main() {
 				if err != nil {
 					return err
 				}
-				if includeVulns {
+				if includeCves {
 					workspace, _ := config.PluginConfig("index", "workspace")
 					apiKey, _ := config.PluginConfig("index", "api-key")
-					cves, err := query.QueryCves(sb, workspace, apiKey)
+					cves, err := query.QueryCves(sb, "", workspace, apiKey)
 					if err != nil {
 						return err
 					}
@@ -121,10 +121,10 @@ func main() {
 			},
 		}
 		sbomCommandFlags := sbomCommand.Flags()
-		sbomCommandFlags.StringVar(&output, "output", "", "Location path to write SBOM to")
-		sbomCommandFlags.StringVar(&image, "image", "", "Image reference to index")
-		sbomCommandFlags.StringVar(&ociDir, "oci-dir", "", "Path to image in OCI format")
-		sbomCommandFlags.BoolVar(&includeVulns, "include-vulns", false, "Include package CVEs")
+		sbomCommandFlags.StringVarP(&output, "output", "o", "", "Location path to write SBOM to")
+		sbomCommandFlags.StringVarP(&image, "image", "i", "", "Image reference to index")
+		sbomCommandFlags.StringVarP(&ociDir, "oci-dir", "d", "", "Path to image in OCI format")
+		sbomCommandFlags.BoolVarP(&includeCves, "include-cves", "c", false, "Include package CVEs")
 
 		uploadCommand := &cobra.Command{
 			Use:   "upload [OPTIONS]",
@@ -171,12 +171,70 @@ func main() {
 		uploadCommandFlags.StringVar(&workspace, "workspace", "", "Atomist workspace")
 		uploadCommandFlags.BoolVar(&apiKeyStdin, "api-key-stdin", false, "Atomist API key")
 
+		cveCommand := &cobra.Command{
+			Use:   "cve [OPTIONS] CVE_ID",
+			Short: "Check if image is vulnerable to given CVE",
+			RunE: func(cmd *cobra.Command, args []string) error {
+				if len(args) != 1 {
+					return fmt.Errorf(`"docker index cve" requires exactly 1 argument`)
+				}
+				cve := args[0]
+				var err error
+				var sb *sbom.Sbom
+
+				if ociDir == "" {
+					sb, _, err = sbom.IndexImage(image, dockerCli.Client())
+				} else {
+					sb, _, err = sbom.IndexPath(ociDir, image)
+				}
+				if err != nil {
+					return err
+				}
+				workspace, _ := config.PluginConfig("index", "workspace")
+				apiKey, _ := config.PluginConfig("index", "api-key")
+				cves, err := query.QueryCves(sb, cve, workspace, apiKey)
+				if err != nil {
+					return err
+				}
+
+				if len(*cves) > 0 {
+					for _, c := range *cves {
+						skill.Log.Warnf("Detected %s at", cve)
+						skill.Log.Warnf("")
+						purl := c.Purl
+						for _, p := range sb.Artifacts {
+							if p.Purl == purl {
+								skill.Log.Warnf("  %s", p.Purl)
+								loc := p.Locations[0]
+								for i, l := range sb.Source.Image.Config.RootFS.DiffIDs {
+									if l.String() == loc.DiffId {
+										h := sb.Source.Image.Config.History[i]
+										skill.Log.Warnf("    ")
+										skill.Log.Warnf("    Instruction: %s", h.CreatedBy)
+										skill.Log.Warnf("    Layer %d: %s", i, loc.Digest)
+									}
+								}
+							}
+						}
+					}
+					os.Exit(1)
+				} else {
+					skill.Log.Infof("%s not detected", cve)
+					os.Exit(0)
+				}
+				return nil
+			},
+		}
+		cveCommandFlags := cveCommand.Flags()
+		cveCommandFlags.StringVarP(&image, "image", "i", "", "Image reference to index")
+		cveCommandFlags.StringVarP(&ociDir, "oci-dir", "d", "", "Path to image in OCI format")
+
 		cmd := &cobra.Command{
 			Use:   "index",
 			Short: "Docker Index",
 		}
 
-		cmd.AddCommand(loginCommand, logoutCommand, sbomCommand, uploadCommand)
+		cmd.AddCommand(loginCommand, logoutCommand, sbomCommand, cveCommand, uploadCommand)
 		return cmd
 	},
 		manager.Metadata{

query/package_cve.edn

@@ -0,0 +1,75 @@
+[:find
+ ?cves
+ :keys cves
+ :in $ $before-db %% ?ctx
+ :where
+
+ [(ground "%s") ?source-id]
+ [(ground [%s]) ?packages]
+
+ [(adb/query (quote [:find
+                     ?purl ?source-id ?source ?range ?url ?fixed-by
+                     (pull ?v [:vulnerability/source-id
+                               :vulnerability/source
+                               {:vulnerability/urls [:vulnerability.url/value :vulnerability.url/name]}
+                               {:vulnerability/references [:vulnerability.reference/source {:vulnerability.reference/scores [:vulnerability.reference.score/type :vulnerability.reference.score/value]}]}])
+                     (pull ?cve [:vulnerability/source-id
+                                 :vulnerability/source
+                                 :vulnerability/description
+                                 {:vulnerability/urls [:vulnerability.url/value :vulnerability.url/name]}
+                                 {:vulnerability/cwes [:vulnerability.cwe/source-id :vulnerability.cwe/name]}
+                                 {:vulnerability/references [:vulnerability.reference/source {:vulnerability.reference/scores [:vulnerability.reference.score/type :vulnerability.reference.score/value]}]}])
+                     :keys purl source-id source vulnerable-range url fixed-by v cve
+                     :in $ $b %% ?ctx [?packages ?source-id]
+                     :where
+                     [?v :vulnerability/source-id ?source-id]
+                     [?v :vulnerability/source ?source]
+                     [?v :vulnerability/advisories ?adv]
+
+                     [(untuple ?packages) [?package ...]]
+                     [(untuple ?package) [?purl ?type ?version ?url]]
+                     [?adv :vulnerability.advisory/url ?url]
+
+                     [(missing? $ ?v :vulnerability/withdrawn-at)]
+                     [?adv :vulnerability.advisory/versions ?versions]
+                     [?versions :vulnerability.advisory.version/vulnerable-range ?range]
+                     (range-satisfied? ?type ?version ?source ?range)
+
+                     (or-join [?v ?source-id]
+                       [?v :vulnerability/cve-id ?source-id]
+                       (and
+                         [(missing? $ ?v :vulnerability/cve-id)]
+                         [?v :vulnerability/source-id ?source-id]))
+
+                     (or-join [?versions ?fixed-by]
+                       [?versions :vulnerability.advisory.version/fixed-by ?fixed-by]
+                       (and
+                         [(missing? $ ?versions :vulnerability.advisory.version/fixed-by)]
+                         [(ground "not fixed") ?fixed-by]))
+
+                     (or-join [?v ?cve]
+                       (and
+                         [?v :vulnerability/cve-id ?cveId]
+                         [?cve :vulnerability/source-id ?cveId]
+                         [?cve :vulnerability/source "nist"])
+                       (and
+                         [?v :vulnerability/source-id ?cveId]
+                         [?cve :vulnerability/source-id ?cveId]
+                         [?cve :vulnerability/source "nist"])
+                       (and
+                         (not-join [?v]
+                           [?v :vulnerability/cve-id ?cveId]
+                           [?cve :vulnerability/source-id ?cveId]
+                           [?cve :vulnerability/source "nist"]
+                           )
+                         (not-join [?v]
+                           [?v :vulnerability/source-id ?cveId]
+                           [?cve :vulnerability/source-id ?cveId]
+                           [?cve :vulnerability/source "nist"]
+                           )
+                         ([ground "n/a"] ?cve))
+                       )
+                     ])
+    ?packages ?source-id)
+  ?cves]
+ ]

query/query.go

@@ -19,6 +19,7 @@ package query
 import (
 	_ "embed"
 	"fmt"
+	"github.com/docker/index-cli-plugin/internal"
 	"net/http"
 	"strings"
 
@@ -44,8 +45,11 @@ var enabledSkillsQuery string
 //go:embed package_cves.edn
 var packageCvesQuery string
 
+//go:embed package_cve.edn
+var packageCveQuery string
+
 func CheckAuth(workspace string, apiKey string) (bool, error) {
-	resp, err := query(enabledSkillsQuery, workspace, apiKey)
+	resp, err := query(enabledSkillsQuery, "auth_check", workspace, apiKey)
 	if err != nil {
 		return false, errors.Wrap(err, "failed to check auth")
 	}
@@ -55,45 +59,45 @@ func CheckAuth(workspace string, apiKey string) (bool, error) {
 	return true, nil
 }
 
-func QueryCves(sb *sbom.Sbom, workspace string, apiKey string) (*[]sbom.Cve, error) {
+func QueryCves(sb *sbom.Sbom, cve string, workspace string, apiKey string) (*[]sbom.Cve, error) {
 	pkgs := make([]string, 0)
 	for _, p := range sb.Artifacts {
 		pkgs = append(pkgs, fmt.Sprintf(`["%s" "%s" "%s" "%s"]`, p.Purl, p.Type, p.Version, sbom.ToAdvisoryUrl(p)))
 	}
 
-	resp, err := query(fmt.Sprintf(packageCvesQuery, strings.Join(pkgs, " ")), workspace, apiKey)
-	if workspace == "" || apiKey == "" {
-		var result QueryResult
-		err = edn.NewDecoder(resp.Body).Decode(&result)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to unmarshal response")
-		}
-		if len(result.Query.Data) > 0 {
-			skill.Log.Infof("Detected %d vulnerabilities", len(result.Query.Data[0].Cves))
-			return &result.Query.Data[0].Cves, nil
+	var q, name string
+	if cve == "" {
+		q = fmt.Sprintf(packageCvesQuery, strings.Join(pkgs, " "))
+		name = "cves_query"
+	} else {
+		q = fmt.Sprintf(packageCveQuery, cve, strings.Join(pkgs, " "))
+		name = "cve_query"
+	}
+	resp, err := query(q, name, workspace, apiKey)
+	var result QueryResult
+	err = edn.NewDecoder(resp.Body).Decode(&result)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to unmarshal response")
+	}
+	if len(result.Query.Data) > 0 {
+		if len(result.Query.Data) == 1 {
+			skill.Log.Infof("Detected %d vulnerability", len(result.Query.Data[0].Cves))
 		} else {
-			return nil, nil
+			skill.Log.Infof("Detected %d vulnerabilities", len(result.Query.Data[0].Cves))
 		}
+		return &result.Query.Data[0].Cves, nil
 	} else {
-		var cves []CveResult
-		err = edn.NewDecoder(resp.Body).Decode(&cves)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to unmarshal response")
-		}
-		skill.Log.Infof("Detected %d vulnerabilities", len(cves[0].Cves))
-		return &cves[0].Cves, nil
+		return nil, nil
 	}
 }
 
-func query(query string, workspace string, apiKey string) (*http.Response, error) {
-	url := "https://api.dso.docker.com/datalog/team/" + workspace
+func query(query string, name string, workspace string, apiKey string) (*http.Response, error) {
+	url := fmt.Sprintf("https://api.dso.docker.com/datalog/team/%s/queries", workspace)
 	if workspace == "" || apiKey == "" {
 		url = "https://api.dso.docker.com/datalog/shared-vulnerability/queries"
-		query = fmt.Sprintf(`{:queries [{:name "query" :query %s}]}`, query)
-	} else {
-		query = fmt.Sprintf(`{:query %s}`, query)
-	}
 
+	}
+	query = fmt.Sprintf(`{:queries [{:name "query" :query %s}]}`, query)
 	client := &http.Client{}
 	req, err := http.NewRequest(http.MethodPost, url, strings.NewReader(query))
 	if err != nil {
@@ -103,6 +107,8 @@ func query(query string, workspace string, apiKey string) (*http.Response, error
 		req.Header.Set("Authorization", "Bearer "+apiKey)
 	}
 	req.Header.Set("Content-Type", "application/edn")
+	req.Header.Set("X-Docker-Client", fmt.Sprintf("index-cli-plugin/%s", internal.FromBuild().Version))
+	req.Header.Set("X-Docker-Query", name)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to create http client")
 	}