Proposal: Support OCI image as the primary vulnerable software entity (Image-as-a-Product) #3302
Description
Background
Currently, Grype (and Syft) operate primarily on a "bucket of packages" paradigm. When scanning a container image, the engine looks inside the image for discrete components (RPMs, NPMs, JARs) to match against vulnerability databases.
However, many modern software products (e.g. Grafana, GitLab, and various Red Hat appliances) are distributed and versioned as OCI images. Vulnerabilities (CVEs) for these products are frequently issued against the top-level product version (the image tag or digest) rather than the underlying OS or application dependencies.
Because Grype currently focuses on image contents and does not consider the image itself as a candidate for matching, it suffers from false negatives for these image-as-product CVEs.
Proposal
Introduce a mechanism in Grype where the scan target itself, if it is an image, is a candidate for matching against the vulnerability database. This enhancement requires a few capabilities:
- Grype needs to recognize the image, e.g. "this image is gitlab-ce" is an image-as-product image
- Vunnel and Grype-DB need to pull in this data. (Red Hat CSAF already has some
pkg:oci/...PURLs in vex/advisory data - Grype needs a way to match against this data.
The next step here is to research what fields are available to Grype today to identify the image, and research which vendors of image-as-product products have security feeds and what sort of data is in those feeds to line things up.