|
| 1 | +# Scanning Validation |
| 2 | + |
| 3 | +## Executive Summary |
| 4 | + |
| 5 | +This document outlines the testing methodology and results for validating Chainguard VEX (Vulnerability Exploitability eXchange) integration with third party vulnerability scanners. The testing specifically focuses on Chainguard's Python library versioning system and demonstrates successful recognition of VEX statements for patched vulnerabilities. |
| 6 | + |
| 7 | +## Test Objective |
| 8 | + |
| 9 | +To validate that a vulnerability scanner: |
| 10 | + |
| 11 | +1. Differentiate between standard upstream versions and Chainguard-patched versions |
| 12 | +2. Respect VEX statements provided by Chainguard for addressed vulnerabilities |
| 13 | +3. Produce accurate vulnerability assessments based on Chainguard's security patches |
| 14 | + |
| 15 | +### Upstream (Vulnerable) Container Image |
| 16 | + |
| 17 | +* **Image URI**: `docker.io/vulhub/aiohttp:3.9.1` |
| 18 | +* **Provider**: Vulhub |
| 19 | +* **Purpose**: Reference image containing vulnerable library |
| 20 | + |
| 21 | +### Vulnerable Library |
| 22 | + |
| 23 | +* **Package Name**: aiohttp |
| 24 | +* **Version**: 3.9.1 |
| 25 | + |
| 26 | +### Chainguard (Fixed) Container Image |
| 27 | + |
| 28 | +* **Image URI**: `ghcr.io/chainguard-images/scanner-test:python-library-aiohttp-chainguard` |
| 29 | +* **Provider**: Chainguard |
| 30 | +* **Purpose**: Reference image containing remediated vulnerability for testing the Python library VEX integration |
| 31 | + |
| 32 | +### Fixed Library |
| 33 | + |
| 34 | +* **Package Name**: aiohttp |
| 35 | +* **Version**: 3.9.1+cgr.2 |
| 36 | + |
| 37 | +## Test Cases |
| 38 | + |
| 39 | +### Step 1: Verify Chainguard Versioning Format |
| 40 | + |
| 41 | +**Version Format**: The version string `3.9.1+cgr.2` is correctly captured by the vulnerability scanner for the Chainguard image referenced above. |
| 42 | + |
| 43 | +* `3.9.1`: Upstream version |
| 44 | +* `+cgr.2`: Chainguard patch level indicator |
| 45 | + |
| 46 | +### Step 2: Comparative Analysis |
| 47 | + |
| 48 | +#### Control Test - Standard Upstream Version (3.9.1) |
| 49 | + |
| 50 | +To validate VEX effectiveness, a comparative scan should be performed using the standard upstream version of aiohttp (version `3.9.1` without the Chainguard suffix) provided in the Vulhub image referenced above. |
| 51 | + |
| 52 | +#### Key Finding |
| 53 | + |
| 54 | +**C-2024-23334** appears in the High severity findings list for the standard `3.9.1` version but is **NOT** present in the Chainguard `3.9.1+cgr.2` version scan results. |
| 55 | + |
| 56 | +#### Interpretation |
| 57 | + |
| 58 | +This demonstrates that: |
| 59 | + |
| 60 | +1. Vulnerability scanner correctly identifies C-2024-23334 as affecting aiohttp 3.9.1 |
| 61 | +2. The Chainguard VEX statement successfully communicates that this vulnerability has been patched in version `3.9.1+cgr.2` |
| 62 | +3. Vulnerability scanner respects the VEX statement and excludes the patched vulnerability from the findings |
| 63 | + |
| 64 | +## VEX Data Source Validation |
| 65 | + |
| 66 | +### Chainguard VEX Endpoint |
| 67 | + |
| 68 | +Chainguard publishes VEX data for the aiohttp package at: |
| 69 | + |
| 70 | +**URL**: https://libraries.cgr.dev/openvex/v1/pypi/aiohttp.openvex.json |
| 71 | + |
| 72 | +### VEX Statement Verification |
| 73 | + |
| 74 | +The scan results align precisely with the VEX statements published by Chainguard. The VEX document indicates which vulnerabilities have been addressed in specific Chainguard patch versions, and the Vulnerability scanner's scan results accurately reflect these statements. |
| 75 | + |
| 76 | +## Test Results Summary |
| 77 | + |
| 78 | +### Successful Validations |
| 79 | + |
| 80 | +✅ **Version Recognition**: Vulnerability scanner correctly parsed and recognized the Chainguard-specific version format |
| 81 | + |
| 82 | +✅ **VEX Integration**: VEX statements from Chainguard were properly consumed and applied during vulnerability assessment |
| 83 | + |
| 84 | +✅ **Vulnerability Differentiation**: Scan results correctly differentiated between patched (Chainguard) and unpatched (upstream) versions |
| 85 | + |
| 86 | +✅ **Vulnerability Exclusion**: C-2024-23334 was appropriately excluded from Chainguard version findings based on VEX data |
| 87 | + |
| 88 | + |
| 89 | +### Vulnerability Count Comparison |
| 90 | + |
| 91 | +|Version |Critical |High |Medium |Low |Other | |
| 92 | +|--- |--- |--- |--- |--- |--- | |
| 93 | +|3.9.1+cgr.2 (Chainguard) |0 |3 |3 |0 |0 | |
| 94 | +|3.9.1 (standard) |0 |4 (included C-2024-23334) |3 |0 |0 | |
| 95 | + |
| 96 | +## Conclusion |
| 97 | + |
| 98 | +The testing demonstrates successful integration between Chainguard VEX and the chose Vulnerability scanner. The scanner correctly: |
| 99 | + |
| 100 | +* Recognizes Chainguard's custom versioning scheme |
| 101 | +* Consumes and applies VEX statements during vulnerability assessment |
| 102 | +* Provides accurate security posture information that reflects actual patch status |
| 103 | + |
| 104 | +This validation confirms that the Vulnerabilty scanner can effectively leverage Chainguard's VEX data to provide accurate vulnerability assessments for Chainguard-maintained Python libraries, reducing false positives and improving security signal quality for users of Chainguard images. |
| 105 | + |
| 106 | +## References |
| 107 | + |
| 108 | +* **Chainguard VEX Data**: https://libraries.cgr.dev/openvex/v1/pypi/aiohttp.openvex.json |
| 109 | + |
| 110 | +* * * |
0 commit comments