Jose Antonia Carmona & Juan Ariza contributed to this blog post
Trivy can now consume CSAF VEX (Common Security Advisory Framework Vulnerability Exploitability eXchange) data and filter out false positives in CVE reports based on the context of the product or platform where they are present. This enables you to maximize the value of Tanzu Application Catalog VEX documents by using them in combination with Trivy.
More than 40% of alerts from security tools are false positives, according to the 2022 Cloud Security Alert Fatigue Report. This means that teams working on vulnerability management often waste time and effort on vulnerabilities that pose no actual risk. Even worse, this slows the time to market of new software.
Vulnerability Exploitability eXchange (VEX) aims to solve this problem by asserting the exploitability of all vulnerabilities identified in a product. This, in turn, helps development and operations teams identify whether their end product or platform is actually affected by those vulnerabilities. Additionally, VEX provides information about identified remediation actions as well, enabling development and operations teams to deal with vulnerability management quickly by reviewing their options and mitigating risks.
Often, development, operations, and security teams find themselves trying to fix a vulnerability in an upstream component while completely unaware whether or not that vulnerability is exploitable in their final product or platform. VEX can reduce efforts that are spent investigating and remediating the unexploitable vulnerabilities, commonly referred to as false positives by categorizing the vulnerabilities in a given product by a specific status: Not Affected, Affected, Fixed, or Under Investigation.
The machine readability of VEX enables automation and supports integration with broader tooling and processes. Common Security Advisory Framework (CSAF) is a standard for machine-readable security advisories developed by the OASIS Open CSAF Technical Committee.
VMware Tanzu Application Catalog delivers CSAF VEX documentation, in addition to the Software Package Data Exchange Software Bill of Materials (SPDX SBoM,) for all container images based on Photon OS (our recommended base image for customers looking for minimal upstream CVEs).
CSAF VEX documentation now consumable by Trivy
Trivy is a popular open source security scanner and the latest version, v0.49.2, supports CSAF VEX documentation. Working closely with the Trivy team, the Bitnami and VMware Tanzu Application Catalog engineering team put our experience working with VEX to good use to ensure that this integration is done in a smooth, timely, and reliable manner.
This integration enables Trivy to filter the CVEs it reports based on the data present in VEX documents. Now users of VMware Tanzu Application Catalog can combine the power of VEX documentation and CVE scan reports to easily filter out the false-positive CVEs in the CVE scan reports. Let’s now look at how this is done.
-
Navigate to https://app-catalog.vmware.com/ from your catalog and select a Photon OS- based container image. This blog post uses Kafka as an example but there are many others to choose from.
-
Download the VEX document and SPDX SBoM from the Build Time Reports section.
-
Install Trivy, if you do not already have it installed. We recommend installing the latest version – v.0.50.0 for the best experience.
-
Execute the following command:
./trivy sbom path/to/spdx.json --vex path/to/vex.json
2024-03-06T10:32:06.401+0100 INFO Vulnerability scanning is enabled
2024-03-06T10:32:06.404+0100 INFO Detected SBOM format: spdx-json
2024-03-06T10:32:06.434+0100 INFO Detected OS: photon
2024-03-06T10:32:06.434+0100 INFO Detecting Photon Linux vulnerabilities...
2024-03-06T10:32:06.436+0100 INFO Number of language-specific files: 6
2024-03-06T10:32:06.436+0100 INFO Detecting bitnami vulnerabilities...
2024-03-06T10:32:06.436+0100 INFO Detecting gobinary vulnerabilities...
2024-03-06T10:32:06.436+0100 INFO Detecting jar vulnerabilities...
2024-03-06T10:32:06.442+0100 WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-4807", "status": "not_affected", "relationship": "default_component_of"}
2024-03-06T10:32:06.442+0100 WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-5363", "status": "not_affected", "relationship": "default_component_of"}
2024-03-06T10:32:06.442+0100 WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-2650", "status": "not_affected", "relationship": "default_component_of"}
2024-03-06T10:32:06.442+0100 WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-2975", "status": "not_affected", "relationship": "default_component_of"}
2024-03-06T10:32:06.442+0100 WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-3446", "status": "not_affected", "relationship": "default_component_of"}
2024-03-06T10:32:06.442+0100 WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-3817", "status": "not_affected", "relationship": "default_component_of"}
2024-03-06T10:32:06.442+0100 WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-5678", "status": "not_affected", "relationship": "default_component_of"}
2024-03-06T10:32:06.443+0100 INFO Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
Now, Trivy scans the SPDX SBoM and VEX document you downloaded from Tanzu Application Catalog and generates a more precise CVE report that filters out all CVEs marked as not exploitable. This means that the teams working on vulnerability management can avoid wasting precious time and effort on false positive CVEs.
Looking forward
This is one of the first practical use cases of VEX that you can leverage today. We have plans to work with the Trivy team to make VEX documents auto-discoverable so that, in the future, you won’t need to find and feed the VEX document to Trivy. Instead, Trivy will automatically find and load the VEX document and provide accurate results out of the box.
Learn more
Are you attending KubeCon + CloudNativeCon Europe 2024? Make sure to join the session VEXintating your Container Images: The European Way on March 21, 2024 (Thursday) to learn more about why VEX data is fast becoming an indispensable part of modern-day security practices.
To learn more about VEX, SBoMs, and CVE scan reports in Tanzu Application Catalog, read this blog.
To learn more about Tanzu Application Catalog, check our product webpage and solution brief.
Get started with VMware Tanzu Application Catalog by filling out this form.