Coder Social home page Coder Social logo

node-ip-vex's Introduction

node-ip-vex

This sample project depends on the node-ip npm package which is vulnerable to CVE-2024-29415.

However, because our project does not directly use the vulnerable function .isPublic(), it is not exploitable to CVE-2024-29415.

Run an analysis with Docker Scout

I can package my project as a Docker image:

docker buildx build -t felipecruz1638514/node-ip-vex:v1 .

And run a Docker Scout analysis to check if my project is vulnerable to CVE-2024-29415:

docker scout cves felipecruz1638514/node-ip-vex:v1 --only-cve-id CVE-2024-29415
    ✓ Image stored for indexing
    ✓ Indexed 221 packages
    ✓ Provenance obtained from attestation
    ✗ Detected 1 vulnerable package with 1 vulnerability


## Overview

                    │           Analyzed Image
────────────────────┼─────────────────────────────────────
  Target            │  felipecruz1638514/node-ip-vex:v1
    digest          │  972354a74233
    platform        │ linux/arm64
    vulnerabilities │    0C     1H     0M     0L
    size            │ 48 MB
    packages        │ 221


## Packages and Vulnerabilities

   0C     1H     0M     0L  ip 2.0.1
pkg:npm/[email protected]

    ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)]
      https://scout.docker.com/v/CVE-2024-29415
      Affected range : <=2.0.1
      Fixed version  : not fixed



1 vulnerability found in 1 package
  LOW       0
  MEDIUM    0
  HIGH      1
  CRITICAL  0

The output from this command shows that this CVE affects the npm package [email protected] in the image.

Generate a VEX document

The next step is to generate a VEX document to add context about the fact that just because it contains a vulnerable package - [email protected] - it does not mean that the vulnerability is exploitable to CVE-2024-29415.

We can use vexctl to create a VEX document:

vexctl create \
  --author="[email protected]" \
  --product="pkg:docker/felipecruz1638514/node-ip-vex@v2" \
  --subcomponents="pkg:npm/[email protected]" \
  --vuln="CVE-2024-29415" \
  --status="not_affected" \
  --justification="vulnerable_code_not_in_execute_path" \
  --file="CVE-2024-29415.vex.json"

Verify CVE suppression

To test whether the CVE has been suppressed, we can build the image again under a new tag (v2) and copy the VEX statement into the image filesystem. That step is already covered using the COPY . . in the existing Dockerfile.

docker buildx build -t felipecruz1638514/node-ip-vex:v2 .

Next, run the Docker Scout analysis again loading the VEX document:

docker scout cves felipecruz1638514/node-ip-vex:v2 --only-cve-id CVE-2024-29415 --vex-location .
    ✓ Image stored for indexing
    ✓ Indexed 324 packages
    ✓ Loaded 1 VEX document
    ✗ Detected 1 vulnerable package with 1 vulnerability


## Overview

                    │           Analyzed Image            
────────────────────┼─────────────────────────────────────
  Target            │  felipecruz1638514/node-ip-vex:v2   
    digest          │  646daafacd8e                       
    platform        │ linux/arm64                         
    vulnerabilities │    0C     1H     0M     0L          
    size            │ 76 MB                               
    packages        │ 324                                 


## Packages and Vulnerabilities

   0C     1H     0M     0L  ip 2.0.1
pkg:npm/[email protected]

    ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)]
      https://scout.docker.com/v/CVE-2024-29415
      Affected range : <=2.0.1                                             
      Fixed version  : not fixed                                           
      VEX            : not affected [vulnerable code not in execute path]  
                     : [email protected]                                  
    


1 vulnerability found in 1 package
  LOW       0  
  MEDIUM    0  
  HIGH      1  
  CRITICAL  0

Notice in the output above that CVE-2024-29415 has been suppressed:

      VEX            : not affected [vulnerable code not in execute path]  
                     : [email protected]

Also, you can use the --only-vex-affected flag to filter out the suppressed CVE:

docker scout cves felipecruz1638514/node-ip-vex:v2 --only-cve-id CVE-2024-29415 --vex-location . --only-vex-affected
    ✓ SBOM of image already cached, 324 packages indexed
    ✓ Loaded 1 VEX document
    ✓ No vulnerable package detected


## Overview

                    │           Analyzed Image            
────────────────────┼─────────────────────────────────────
  Target            │  felipecruz1638514/node-ip-vex:v2   
    digest          │  646daafacd8e                       
    platform        │ linux/arm64                         
    vulnerabilities │    0C     0H     0M     0L          
    size            │ 76 MB                               
    packages        │ 324

Inspecting the image in the Docker Scout UI

Finally, let's push the image to Docker Scout (scout.docker.com) and inspect it in the UI:

docker buildx build --sbom=false --provenance=false -t felipecruz1638514/node-ip-vex:v2 --push .

Note: VEX documents embedded in the image filesystem are not considered for images that have attestations. If your image has any attestations, Docker Scout will only look for exceptions in the attestations, and not in the image filesystem. That's why we disabled the SBOM and provenance in the docker buildx build command.

In the Docker Scout website the v2 tag doesn't show the CVE-2024-29415 vulnerability with HIGH severity anymore as Scout takes into account the VEX document embedded in the image filesystem.

v1-v2-summary

On the image details page, we can see the VEX document that was loaded from the image filesystem:

v2-vex

Resources

node-ip-vex's People

Contributors

felipecruz91 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.