θΏ™ζ˜―indexlocζδΎ›ηš„ζœεŠ‘οΌŒδΈθ¦θΎ“ε…₯任何密码
Skip to content

Add known VEX files to build process #1969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 26 commits into from
Jul 25, 2024
Merged

Add known VEX files to build process #1969

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
b235586
wip
timothycarambat Jul 25, 2024
2fe12d8
build update
timothycarambat Jul 25, 2024
f6b8b6a
build update
timothycarambat Jul 25, 2024
5b15bcb
build update
timothycarambat Jul 25, 2024
1a61fdf
build update
timothycarambat Jul 25, 2024
7bbaa26
build update
timothycarambat Jul 25, 2024
c2ad1d5
build update
timothycarambat Jul 25, 2024
89b4152
build update
timothycarambat Jul 25, 2024
3b09642
build update
timothycarambat Jul 25, 2024
1afc159
build update
timothycarambat Jul 25, 2024
fb9c2a9
build update
timothycarambat Jul 25, 2024
c9d33e6
build update
timothycarambat Jul 25, 2024
31ecf78
build update
timothycarambat Jul 25, 2024
841f5f9
build update
timothycarambat Jul 25, 2024
bc0bd1c
build update
timothycarambat Jul 25, 2024
0eefd43
build update
timothycarambat Jul 25, 2024
dc512bd
build update
timothycarambat Jul 25, 2024
1344153
build update
timothycarambat Jul 25, 2024
39a9249
build update
timothycarambat Jul 25, 2024
4e7b820
build update
timothycarambat Jul 25, 2024
d0e429c
tmp bump for JWT to test
timothycarambat Jul 25, 2024
a47e4e1
undo JWT test
timothycarambat Jul 25, 2024
06ff4bd
update primary build file
timothycarambat Jul 25, 2024
7064efa
Reset dockerfile
timothycarambat Jul 25, 2024
bcbae00
rename dev build output
timothycarambat Jul 25, 2024
77b7fae
merge with master
timothycarambat Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 36 additions & 1 deletion .github/workflows/build-and-push-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ on:
- '.github/ISSUE_TEMPLATE/**/*'
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
- 'docker/vex/*' # CVE exceptions we know are not in risk

jobs:
push_multi_platform_to_registries:
Expand Down Expand Up @@ -95,3 +94,39 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

# For Docker scout there are some intermediary reported CVEs which exists outside
# of execution content or are unreachable by an attacker but exist in image.
# We create VEX files for these so they don't show in scout summary.
- name: Collect known and verified CVE exceptions
id: cve-list
run: |
# Collect CVEs from filenames in vex folder
CVE_NAMES=""
for file in ./docker/vex/*.vex.json; do
[ -e "$file" ] || continue
filename=$(basename "$file")
stripped_filename=${filename%.vex.json}
CVE_NAMES+=" $stripped_filename"
done
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
shell: bash

# About VEX attestations https://docs.docker.com/scout/explore/exceptions/
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
- name: Add VEX attestations
env:
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
run: |
echo $CVE_EXCEPTIONS
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
for cve in $CVE_EXCEPTIONS; do
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
echo "Attaching VEX exception $cve to $tag"
docker scout attestation add \
--file "./docker/vex/$cve.vex.json" \
--predicate-type https://openvex.dev/ns/v0.2.0 \
$tag
done
done
shell: bash
43 changes: 40 additions & 3 deletions .github/workflows/dev-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
name: Publish AnythingLLM Development Docker image (amd64)
name: AnythingLLM Development Docker image (amd64)

concurrency:
group: build-${{ github.ref }}
cancel-in-progress: true

on:
push:
branches: ['jwt-bump'] # put your current branch to create a build. Core team only.
branches: ['vex'] # put your current branch to create a build. Core team only.
paths-ignore:
- '**.md'
- 'cloud-deployments/*'
Expand All @@ -16,7 +16,6 @@ on:
- '.github/ISSUE_TEMPLATE/**/*'
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
- 'docker/vex/*' # CVE exceptions we know are not in risk

jobs:
push_multi_platform_to_registries:
Expand Down Expand Up @@ -75,3 +74,41 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

# For Docker scout there are some intermediary reported CVEs which exists outside
# of execution content or are unreachable by an attacker but exist in image.
# We create VEX files for these so they don't show in scout summary.
- name: Collect known and verified CVE exceptions
id: cve-list
run: |
# Collect CVEs from filenames in vex folder
CVE_NAMES=""
for file in ./docker/vex/*.vex.json; do
[ -e "$file" ] || continue
filename=$(basename "$file")
stripped_filename=${filename%.vex.json}
CVE_NAMES+=" $stripped_filename"
done
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
shell: bash

# About VEX attestations https://docs.docker.com/scout/explore/exceptions/
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
- name: Add VEX attestations
env:
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
run: |
echo $CVE_EXCEPTIONS
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
for cve in $CVE_EXCEPTIONS; do
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
echo "Attaching VEX exception $cve to $tag"
docker scout attestation add \
--file "./docker/vex/$cve.vex.json" \
--predicate-type https://openvex.dev/ns/v0.2.0 \
$tag
done
done
shell: bash


33 changes: 2 additions & 31 deletions docker/vex/CVE-2019-10790.vex.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,40 +12,11 @@
"timestamp": "2024-07-22T13:49:12.883678-07:00",
"products": [
{
"@id": "pkg:docker/mintplexlabs/anythingllm@render",
"subcomponents": [
{
"@id": "pkg:npm/taffydb@2.6.2"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@railway",
"subcomponents": [
{
"@id": "pkg:npm/taffydb@2.6.2"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@latest",
"subcomponents": [
{
"@id": "pkg:npm/taffydb@2.6.2"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@master",
"subcomponents": [
{
"@id": "pkg:npm/taffydb@2.6.2"
}
]
"@id": "pkg:npm/taffydb@2.6.2"
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
"justification": "vulnerable_code_not_in_execute_path"
}
]
}
22 changes: 22 additions & 0 deletions docker/vex/CVE-2024-29415.vex.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
"author": "tim@mintplexlabs.com",
"timestamp": "2024-07-19T16:08:47.147169-07:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2024-29415"
},
"timestamp": "2024-07-19T16:08:47.147172-07:00",
"products": [
{
"@id": "pkg:npm/ip@2.0.0"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present"
}
]
}
33 changes: 2 additions & 31 deletions docker/vex/CVE-2024-37890.vex.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,40 +12,11 @@
"timestamp": "2024-07-19T16:08:47.147172-07:00",
"products": [
{
"@id": "pkg:docker/mintplexlabs/anythingllm@render",
"subcomponents": [
{
"@id": "pkg:npm/ws@8.14.2"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@railway",
"subcomponents": [
{
"@id": "pkg:npm/ws@8.14.2"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@latest",
"subcomponents": [
{
"@id": "pkg:npm/ws@8.14.2"
}
]
},
{
"@id": "pkg:docker/mintplexlabs/anythingllm@master",
"subcomponents": [
{
"@id": "pkg:npm/ws@8.14.2"
}
]
"@id": "pkg:npm/ws@8.14.2"
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
"justification": "vulnerable_code_not_in_execute_path"
}
]
}
22 changes: 22 additions & 0 deletions docker/vex/CVE-2024-4068.vex.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004",
"author": "tim@mintplexlabs.com",
"timestamp": "2024-07-19T16:08:47.147169-07:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2024-4068"
},
"timestamp": "2024-07-19T16:08:47.147172-07:00",
"products": [
{
"@id": "pkg:npm/braces@3.0.2"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present"
}
]
}