fix: triage with directory scanning and documentation for TRIAGE.json (#4349)

mastersans · web-flow · commit 774a9956e483 · 2024-08-14T11:50:46.000-07:00
diff --git a/.github/workflows/cve_bin_tool_action.yml b/.github/workflows/cve_bin_tool_action.yml
@@ -16,4 +16,4 @@ jobs:
       - uses: intel/cve-bin-tool-action@main
         with:
           exclude_dir: test
-          triage_input_file: TRIAGE.vex
+          vex_file: TRIAGE.json
diff --git a/TRIAGE.json b/TRIAGE.json
@@ -30,7 +30,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "false positive because the python API for zstandard has lower version numbers than the main zstandard library"
          },
          "affects": [
             {
@@ -65,7 +65,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "false positive because the python API for zstandard has lower version numbers than the main zstandard library"
          },
          "affects": [
             {
@@ -100,7 +100,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "RSA detected is rust library."
          },
          "affects": [
             {
@@ -135,7 +135,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -170,7 +170,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -205,7 +205,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -240,7 +240,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -275,7 +275,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -310,7 +310,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -415,7 +415,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "docutils is reporting CVEs found for another product with the same name"
          },
          "affects": [
             {
@@ -450,7 +450,7 @@
          "analysis": {
             "state": "not_affected",
             "response": [],
-            "detail": "NewFound"
+            "detail": "Applied the appropriate mitigations to avoid malicious images"
          },
          "affects": [
             {
diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
@@ -988,7 +988,6 @@ def main(argv=None):
         args["input_file"]
         and not args["input_file"].endswith(".csv")
         and not args["input_file"].endswith(".json")
-        and not args["input_file"].endswith(".vex")
     ):
         args["directory"] = args["input_file"]
         args["input_file"] = ""
@@ -1063,9 +1062,16 @@ def main(argv=None):
                 if scan_info:
                     product_info, path = scan_info
                     LOGGER.debug(f"{product_info}: {path}")
-                    triage_data = parsed_data.get(product_info, {"default": {}})
-                    # Ignore paths from triage_data if we are scanning directory
-                    triage_data["paths"] = {path}
+                    # add product_info to parsed_data to check for with vex file
+                    if product_info in parsed_data:
+                        # update the paths in triage_data with the new path
+                        triage_data = parsed_data[product_info]
+                        triage_data["paths"].add(path)
+                    else:
+                        # create a new entry if product_info not in parsed_data
+                        triage_data = {"default": {}, "paths": {path}}
+                        parsed_data[product_info] = triage_data
+
                     cve_scanner.get_cves(product_info, triage_data)
             total_files = version_scanner.total_scanned_files
 
diff --git a/doc/triaging_process.md b/doc/triaging_process.md
@@ -247,6 +247,13 @@ Note: Always pass value for `-rr` flag in double quotes
   ]
 }
 ```
+### Why We Use a `TRIAGE.json` File Inside the CVE Binary Tool Repository?
+
+The CVE Binary Tool provides functionality to include scans as part of a GitHub continuous integration (CI) workflow using the [`cve-bin-tool-action`](https://github.com/intel/cve-bin-tool-action). This action is used to scan the repository for vulnerabilities, with the results displayed in the security tab of the scanned repository.
+
+However, the generated report may sometimes include false positives. For example, CVE Binary Tool uses the Python arrow package, but the vulnerability report could mistakenly flag a vulnerability associated with Rust's arrow package, which shares the same name. Additionally, some detected vulnerabilities may not affect the repository being scanned; they might be mitigated, or the vulnerable function might not be used, as discussed earlier.
+
+To address this, cve-bin-tool-action provides an option to filter out FalsePositive and NotAffected vulnerabilities using the vex_file option in the [`cve_bin_tool_action.yml`](https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/cve_bin_tool_action.yml) configuration file, Such packages can be marked as NotAffected or FalsePositive in the TRIAGE.json file, which can then be used with cve-bin-tool-action to ensure that these entries are appropriately filtered out during the scanning process. reference: [`Issue #3193`](https://github.com/intel/cve-bin-tool/issues/3193)
 
 ### Limitations :
 

Original file line number	Diff line number	Diff line change
@@ -247,6 +247,13 @@ Note: Always pass value for `-rr` flag in double quotes
`247`	`247`	`]`
`248`	`248`	`}`
`249`	`249`	```
	`250`	+### Why We Use a `TRIAGE.json` File Inside the CVE Binary Tool Repository?
	`251`	`+`
	`252`	+The CVE Binary Tool provides functionality to include scans as part of a GitHub continuous integration (CI) workflow using the [`cve-bin-tool-action`](https://github.com/intel/cve-bin-tool-action). This action is used to scan the repository for vulnerabilities, with the results displayed in the security tab of the scanned repository.
	`253`	`+`
	`254`	`+However, the generated report may sometimes include false positives. For example, CVE Binary Tool uses the Python arrow package, but the vulnerability report could mistakenly flag a vulnerability associated with Rust's arrow package, which shares the same name. Additionally, some detected vulnerabilities may not affect the repository being scanned; they might be mitigated, or the vulnerable function might not be used, as discussed earlier.`
	`255`	`+`
	`256`	+To address this, cve-bin-tool-action provides an option to filter out FalsePositive and NotAffected vulnerabilities using the vex_file option in the [`cve_bin_tool_action.yml`](https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/cve_bin_tool_action.yml) configuration file, Such packages can be marked as NotAffected or FalsePositive in the TRIAGE.json file, which can then be used with cve-bin-tool-action to ensure that these entries are appropriately filtered out during the scanning process. reference: [`Issue #3193`](https://github.com/intel/cve-bin-tool/issues/3193)
`250`	`257`
`251`	`258`	`### Limitations :`
`252`	`259`