diff --git a/.github/workflows/build-and-push-image.yaml b/.github/workflows/build-and-push-image.yaml index 5098fa60..d3a141d8 100644 --- a/.github/workflows/build-and-push-image.yaml +++ b/.github/workflows/build-and-push-image.yaml @@ -22,7 +22,6 @@ on: - '.github/ISSUE_TEMPLATE/**/*' - 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced - 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images. - - 'docker/vex/*' # CVE exceptions we know are not in risk jobs: push_multi_platform_to_registries: @@ -95,3 +94,39 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max + + # For Docker scout there are some intermediary reported CVEs which exists outside + # of execution content or are unreachable by an attacker but exist in image. + # We create VEX files for these so they don't show in scout summary. + - name: Collect known and verified CVE exceptions + id: cve-list + run: | + # Collect CVEs from filenames in vex folder + CVE_NAMES="" + for file in ./docker/vex/*.vex.json; do + [ -e "$file" ] || continue + filename=$(basename "$file") + stripped_filename=${filename%.vex.json} + CVE_NAMES+=" $stripped_filename" + done + echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT + shell: bash + + # About VEX attestations https://docs.docker.com/scout/explore/exceptions/ + # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications + - name: Add VEX attestations + env: + CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} + run: | + echo $CVE_EXCEPTIONS + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + for cve in $CVE_EXCEPTIONS; do + for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do + echo "Attaching VEX exception $cve to $tag" + docker scout attestation add \ + --file "./docker/vex/$cve.vex.json" \ + --predicate-type https://openvex.dev/ns/v0.2.0 \ + $tag + done + done + shell: bash diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml index dd433e42..e81d99c5 100644 --- a/.github/workflows/dev-build.yaml +++ b/.github/workflows/dev-build.yaml @@ -1,4 +1,4 @@ -name: Publish AnythingLLM Development Docker image (amd64) +name: AnythingLLM Development Docker image (amd64) concurrency: group: build-${{ github.ref }} @@ -6,7 +6,7 @@ concurrency: on: push: - branches: ['jwt-bump'] # put your current branch to create a build. Core team only. + branches: ['vex'] # put your current branch to create a build. Core team only. paths-ignore: - '**.md' - 'cloud-deployments/*' @@ -16,7 +16,6 @@ on: - '.github/ISSUE_TEMPLATE/**/*' - 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced - 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images. - - 'docker/vex/*' # CVE exceptions we know are not in risk jobs: push_multi_platform_to_registries: @@ -75,3 +74,41 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max + + # For Docker scout there are some intermediary reported CVEs which exists outside + # of execution content or are unreachable by an attacker but exist in image. + # We create VEX files for these so they don't show in scout summary. + - name: Collect known and verified CVE exceptions + id: cve-list + run: | + # Collect CVEs from filenames in vex folder + CVE_NAMES="" + for file in ./docker/vex/*.vex.json; do + [ -e "$file" ] || continue + filename=$(basename "$file") + stripped_filename=${filename%.vex.json} + CVE_NAMES+=" $stripped_filename" + done + echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT + shell: bash + + # About VEX attestations https://docs.docker.com/scout/explore/exceptions/ + # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications + - name: Add VEX attestations + env: + CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} + run: | + echo $CVE_EXCEPTIONS + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + for cve in $CVE_EXCEPTIONS; do + for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do + echo "Attaching VEX exception $cve to $tag" + docker scout attestation add \ + --file "./docker/vex/$cve.vex.json" \ + --predicate-type https://openvex.dev/ns/v0.2.0 \ + $tag + done + done + shell: bash + + \ No newline at end of file diff --git a/docker/vex/CVE-2019-10790.vex.json b/docker/vex/CVE-2019-10790.vex.json index d6044ac6..4233fd14 100644 --- a/docker/vex/CVE-2019-10790.vex.json +++ b/docker/vex/CVE-2019-10790.vex.json @@ -12,40 +12,11 @@ "timestamp": "2024-07-22T13:49:12.883678-07:00", "products": [ { - "@id": "pkg:docker/mintplexlabs/anythingllm@render", - "subcomponents": [ - { - "@id": "pkg:npm/taffydb@2.6.2" - } - ] - }, - { - "@id": "pkg:docker/mintplexlabs/anythingllm@railway", - "subcomponents": [ - { - "@id": "pkg:npm/taffydb@2.6.2" - } - ] - }, - { - "@id": "pkg:docker/mintplexlabs/anythingllm@latest", - "subcomponents": [ - { - "@id": "pkg:npm/taffydb@2.6.2" - } - ] - }, - { - "@id": "pkg:docker/mintplexlabs/anythingllm@master", - "subcomponents": [ - { - "@id": "pkg:npm/taffydb@2.6.2" - } - ] + "@id": "pkg:npm/taffydb@2.6.2" } ], "status": "not_affected", - "justification": "vulnerable_code_cannot_be_controlled_by_adversary" + "justification": "vulnerable_code_not_in_execute_path" } ] } \ No newline at end of file diff --git a/docker/vex/CVE-2024-29415.vex.json b/docker/vex/CVE-2024-29415.vex.json new file mode 100644 index 00000000..dfe5b462 --- /dev/null +++ b/docker/vex/CVE-2024-29415.vex.json @@ -0,0 +1,22 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004", + "author": "tim@mintplexlabs.com", + "timestamp": "2024-07-19T16:08:47.147169-07:00", + "version": 1, + "statements": [ + { + "vulnerability": { + "name": "CVE-2024-29415" + }, + "timestamp": "2024-07-19T16:08:47.147172-07:00", + "products": [ + { + "@id": "pkg:npm/ip@2.0.0" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + } + ] +} \ No newline at end of file diff --git a/docker/vex/CVE-2024-37890.vex.json b/docker/vex/CVE-2024-37890.vex.json index 89de7553..13498ec6 100644 --- a/docker/vex/CVE-2024-37890.vex.json +++ b/docker/vex/CVE-2024-37890.vex.json @@ -12,40 +12,11 @@ "timestamp": "2024-07-19T16:08:47.147172-07:00", "products": [ { - "@id": "pkg:docker/mintplexlabs/anythingllm@render", - "subcomponents": [ - { - "@id": "pkg:npm/ws@8.14.2" - } - ] - }, - { - "@id": "pkg:docker/mintplexlabs/anythingllm@railway", - "subcomponents": [ - { - "@id": "pkg:npm/ws@8.14.2" - } - ] - }, - { - "@id": "pkg:docker/mintplexlabs/anythingllm@latest", - "subcomponents": [ - { - "@id": "pkg:npm/ws@8.14.2" - } - ] - }, - { - "@id": "pkg:docker/mintplexlabs/anythingllm@master", - "subcomponents": [ - { - "@id": "pkg:npm/ws@8.14.2" - } - ] + "@id": "pkg:npm/ws@8.14.2" } ], "status": "not_affected", - "justification": "vulnerable_code_cannot_be_controlled_by_adversary" + "justification": "vulnerable_code_not_in_execute_path" } ] } \ No newline at end of file diff --git a/docker/vex/CVE-2024-4068.vex.json b/docker/vex/CVE-2024-4068.vex.json new file mode 100644 index 00000000..41f73ed3 --- /dev/null +++ b/docker/vex/CVE-2024-4068.vex.json @@ -0,0 +1,22 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004", + "author": "tim@mintplexlabs.com", + "timestamp": "2024-07-19T16:08:47.147169-07:00", + "version": 1, + "statements": [ + { + "vulnerability": { + "name": "CVE-2024-4068" + }, + "timestamp": "2024-07-19T16:08:47.147172-07:00", + "products": [ + { + "@id": "pkg:npm/braces@3.0.2" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + } + ] +} \ No newline at end of file