Add Root IO vulnerability data provider #963
Conversation
| } | ||
| } | ||
| ], | ||
| "database_specific": {"source": "Root"} |
There was a problem hiding this comment.
This should also assert something like:
if "database_specific" not in vuln_entry:
vuln_entry["database_specific"] = {}
if "anchore" not in vuln_entry["database_specific"]:
vuln_entry["database_specific"]["anchore"] = {}
vuln_entry["database_specific"]["anchore"]["record_type"] = "advisory"has been done. Otherwise, grype-db doesn't know to emit unaffectedPackageHandles and this data just makes affected package handles and the NAKS don't do anything.
This adds a new provider for Root IO vulnerability data, which provides
security information for Root IO patched packages across multiple
ecosystems (Debian, Ubuntu, Alpine, NPM, PyPI).
Implementation details:
- Fetches OSV 1.6.1 format data from Root IO API (api.root.io/external/osv)
- Implements NAK pattern: rootio- prefixed packages only match Root IO vulnerabilities
- Supports ecosystem-specific version suffixes (.root.io.N for Debian/Ubuntu,
-root.io.N for NPM, +root.io.N for PyPI)
- Provider class in src/vunnel/providers/rootio/__init__.py
- OSV record parser in src/vunnel/providers/rootio/parser.py
- Registered in src/vunnel/providers/__init__.py and src/vunnel/cli/config.py
Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
….py _normalize() 2. Added comprehensive tests to verify the metadata is set correctly 3. Updated all 5 snapshot fixtures with the new metadata Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
feat/rootio-provider-2
branch
from
09e61c6 to
85f1e1d
Compare
| # Fix date patching is optional and requires authentication | ||
|
|
||
| # Fetch and process each OSV record | ||
| for osv_id in osv_ids: |
There was a problem hiding this comment.
Please make this concurrent in some way. Right now this provider does ~9K sequential, blocking http gets, which makes it very slow for a relatively small amount of data. Many of the other providers have some concurrent.futures.ThreadPoolExecutor use and a config that controls the concurrency (and sets a default higher than 1). Please imitate that pattern here.
There was a problem hiding this comment.
It's probably fine to enter a concurrent section that pulls down all the osv docs and then process them sequentially, which is probably easier than trying to get the entire record normalized and processed concurrently.
tests/quality/config.yaml
Outdated
| - name: github | ||
| use_cache: true | ||
| images: | ||
| - cr.root.io/cassandra@sha256:b3cc918a6a364af0a6b0a45becef0d0979db7e604751fad627ec2a94945b4e03 |
There was a problem hiding this comment.
I think you changed this image to be on a different repo?
Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
feat/rootio-provider-2
branch
from
c9e7a9e to
d92900e
Compare
- Switched from private ECR to public Docker Hub images for accessibility - Added 3 FP labels for ubuntu:22.04 image (CVE-2016-20013 x2, CVE-2021-46848) - Added 3 FP labels for cassandra image (CVE-2016-20013 x3) - Demonstrates Root IO patch prevention mechanism - Reference scan finds vulnerabilities but Root IO-enhanced scan correctly excludes them - Updated .yardstick.yaml and config.yaml to use docker.io/rootpublic images Images: - docker.io/rootpublic/ubuntu:22.04@sha256:1390a26823a5a761dfbb7f591ae74a71afd8e23583a2f0c58dca6943b606f6d5 - docker.io/rootpublic/cassandra:latest@sha256:02272b14efbe14e70ee5512ce707c4e300d3c1813f0e5df9562512c1b96be835 Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
2 participants
This adds a new provider for Root IO vulnerability data, which provides
security information for Root IO patched packages across multiple
ecosystems (Debian, Ubuntu, Alpine, NPM, PyPI).
Implementation details: