Merge branch 'master' of github.com:Mintplex-Labs/anything-llm into render

.github/workflows/build-and-push-image.yaml

@@ -22,7 +22,6 @@ on:
       - '.github/ISSUE_TEMPLATE/**/*'
       - 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
       - 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
-      - 'docker/vex/*' # CVE exceptions we know are not in risk
 
 jobs:
   push_multi_platform_to_registries:
@@ -95,3 +94,39 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+      
+      # For Docker scout there are some intermediary reported CVEs which exists outside
+      # of execution content or are unreachable by an attacker but exist in image.
+      # We create VEX files for these so they don't show in scout summary. 
+      - name: Collect known and verified CVE exceptions
+        id: cve-list
+        run: |
+          # Collect CVEs from filenames in vex folder
+          CVE_NAMES=""
+          for file in ./docker/vex/*.vex.json; do
+            [ -e "$file" ] || continue
+            filename=$(basename "$file")
+            stripped_filename=${filename%.vex.json}
+            CVE_NAMES+=" $stripped_filename"
+          done
+          echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
+        shell: bash
+
+      # About VEX attestations https://docs.docker.com/scout/explore/exceptions/
+      # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
+      - name: Add VEX attestations
+        env:
+          CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
+        run: |
+          echo $CVE_EXCEPTIONS
+          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
+          for cve in $CVE_EXCEPTIONS; do
+            for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
+              echo "Attaching VEX exception $cve to $tag"
+              docker scout attestation add \
+              --file "./docker/vex/$cve.vex.json" \
+              --predicate-type https://openvex.dev/ns/v0.2.0 \
+              $tag
+            done
+          done
+        shell: bash

.github/workflows/dev-build.yaml

@@ -1,4 +1,4 @@
-name: Publish AnythingLLM Development Docker image (amd64)
+name: AnythingLLM Development Docker image (amd64)
 
 concurrency:
   group: build-${{ github.ref }}
@@ -6,7 +6,7 @@ concurrency:
 
 on:
   push:
-    branches: ['jwt-bump'] # put your current branch to create a build. Core team only.
+    branches: ['vex'] # put your current branch to create a build. Core team only.
     paths-ignore:
       - '**.md'
       - 'cloud-deployments/*'
@@ -16,7 +16,6 @@ on:
       - '.github/ISSUE_TEMPLATE/**/*'
       - 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
       - 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
-      - 'docker/vex/*' # CVE exceptions we know are not in risk
 
 jobs:
   push_multi_platform_to_registries:
@@ -75,3 +74,41 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      # For Docker scout there are some intermediary reported CVEs which exists outside
+      # of execution content or are unreachable by an attacker but exist in image.
+      # We create VEX files for these so they don't show in scout summary. 
+      - name: Collect known and verified CVE exceptions
+        id: cve-list
+        run: |
+          # Collect CVEs from filenames in vex folder
+          CVE_NAMES=""
+          for file in ./docker/vex/*.vex.json; do
+            [ -e "$file" ] || continue
+            filename=$(basename "$file")
+            stripped_filename=${filename%.vex.json}
+            CVE_NAMES+=" $stripped_filename"
+          done
+          echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
+        shell: bash
+
+      # About VEX attestations https://docs.docker.com/scout/explore/exceptions/
+      # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
+      - name: Add VEX attestations
+        env:
+          CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
+        run: |
+          echo $CVE_EXCEPTIONS
+          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
+          for cve in $CVE_EXCEPTIONS; do
+            for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
+              echo "Attaching VEX exception $cve to $tag"
+              docker scout attestation add \
+              --file "./docker/vex/$cve.vex.json" \
+              --predicate-type https://openvex.dev/ns/v0.2.0 \
+              $tag
+            done
+          done
+        shell: bash
+
+      

docker/vex/CVE-2019-10790.vex.json

@@ -11,41 +11,12 @@
       },
       "timestamp": "2024-07-22T13:49:12.883678-07:00",
       "products": [
-        {
-          "@id": "pkg:docker/mintplexlabs/anythingllm@render",
-          "subcomponents": [
         {
           "@id": "pkg:npm/taffydb@2.6.2"
         }
-          ]
-        },
-        {
-          "@id": "pkg:docker/mintplexlabs/anythingllm@railway",
-          "subcomponents": [
-            {
-              "@id": "pkg:npm/taffydb@2.6.2"
-            }
-          ]
-        },
-        {
-          "@id": "pkg:docker/mintplexlabs/anythingllm@latest",
-          "subcomponents": [
-            {
-              "@id": "pkg:npm/taffydb@2.6.2"
-            }
-          ]
-        },
-        {
-          "@id": "pkg:docker/mintplexlabs/anythingllm@master",
-          "subcomponents": [
-            {
-              "@id": "pkg:npm/taffydb@2.6.2"
-            }
-          ]
-        }
       ],
       "status": "not_affected",
-      "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
+      "justification": "vulnerable_code_not_in_execute_path"
     }
   ]
 }

docker/vex/CVE-2024-29415.vex.json

@@ -0,0 +1,22 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
+  "author": "tim@mintplexlabs.com",
+  "timestamp": "2024-07-19T16:08:47.147169-07:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2024-29415"
+      },
+      "timestamp": "2024-07-19T16:08:47.147172-07:00",
+      "products": [
+        {
+          "@id": "pkg:npm/ip@2.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present"
+    }
+  ]
+}

docker/vex/CVE-2024-37890.vex.json

@@ -11,41 +11,12 @@
       },
       "timestamp": "2024-07-19T16:08:47.147172-07:00",
       "products": [
-        {
-          "@id": "pkg:docker/mintplexlabs/anythingllm@render",
-          "subcomponents": [
         {
           "@id": "pkg:npm/ws@8.14.2"
         }
-          ]
-        },
-        {
-          "@id": "pkg:docker/mintplexlabs/anythingllm@railway",
-          "subcomponents": [
-            {
-              "@id": "pkg:npm/ws@8.14.2"
-            }
-          ]
-        },
-        {
-          "@id": "pkg:docker/mintplexlabs/anythingllm@latest",
-          "subcomponents": [
-            {
-              "@id": "pkg:npm/ws@8.14.2"
-            }
-          ]
-        },
-        {
-          "@id": "pkg:docker/mintplexlabs/anythingllm@master",
-          "subcomponents": [
-            {
-              "@id": "pkg:npm/ws@8.14.2"
-            }
-          ]
-        }
       ],
       "status": "not_affected",
-      "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
+      "justification": "vulnerable_code_not_in_execute_path"
     }
   ]
 }

docker/vex/CVE-2024-4068.vex.json

@@ -0,0 +1,22 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
+  "author": "tim@mintplexlabs.com",
+  "timestamp": "2024-07-19T16:08:47.147169-07:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2024-4068"
+      },
+      "timestamp": "2024-07-19T16:08:47.147172-07:00",
+      "products": [
+        {
+          "@id": "pkg:npm/braces@3.0.2"
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present"
+    }
+  ]
+}