Add vulnerability definition date info to scan results

[shawngmc]

Currently, a scan with this appears to simply show the version of Anchore - given that the Anchore version doesn't change often, and the vulnerability definitions are far more important, is there anywhere to append that information - at least a 'last updated' date?

[zhill]

@shawngmc do you mean the date the vulnerability information was updated from the upstream source, or are you asking for a per-CVE update date such as when a specific CVE was created/updated in the upstream source?

[shawngmc]

@shawngmc do you mean the date the vulnerability information was updated from the upstream source, or are you asking for a per-CVE update date such as when a specific CVE was created/updated in the upstream source?

I mean the date the vulnerability information DB was pulled from upstream. If a CVE comes out today and I scan on an air-gapped instance tomorrow, I'll have no indication when the vulnerability definitions are from.

I'm not expecting Harbor to necessarily show this in the UI. Harbor has a JSON endpoint at projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/vulnerabilities which provides a JSON report of what Harbor knows about the scan.

There is a very limited amount of metadata, including the date of the scan (generated_at) and a scanner metadata block (scanner) which has name, vendor and version attributes. Currently, the Anchore version reported is 1.0.0; I'm using anchore-scanner-adapter v1.0.1 and anchore community v1.1.0. Instead, this info is currently hard-coded at

harbor-scanner-adapter/pkg/adapter/adapter.go

Line 15 in f15a6b8

AdapterVersion = "1.0.0"

I'm wondering if this block is flexible. I'm not sure if it's populated at scanner config time or scan time. It might be possible for the harbor-scanner-adapter to at lease update it periodically.

Trivy seems to populate it at scanner-adapter build time (https://github.com/aquasecurity/harbor-scanner-trivy/blob/9be8b31a00fad4b44d529a57b1eecca28884cbb5/.goreleaser.yml).

If we can't add any other fields, I wonder if instead it could, for the version, be something like:

"scanner": {
  "name": "Anchore",
  "vendor": "Anchore Inc.",
  "version": "anchore-scanner-adapter:v1.0.1;anchore-oss:v1.1.0;grype:v0.54.1;vulnerabilities-updated:2023-01-05T01:02:03"
}

I understand there are the multiple vulnerability streams, etc. - but having some information would be a good Minimum Viable Product.

[shawngmc]

I've done a bit of digging as part of something else I was doing, and Harbor should be able to support something here.

In the harbor DB, tables:

• vulnerability_record: rows mapping known vulnerabilities to an installed scanner
• scanner_registration: rows storing the configuration for harbor to talk to the scanner adapter
• scan_record: a row for each scan harbor has done, containing the JSON scan report
• report_vulnerability_record: one scan_report to many vulnerability_record relation - interpreted scan report mapped to known CVEs to allow searches, etc.

The json report in the scan_record table contains the name/vendor/version fields.

Given that the stored JSON document is being generated by the scanner adapter (the scan_record table has a mime_type column, and for anchore results has the "application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0" produced by the scanner adapter.

It looks like the scanner metadata is added to the report here in ToHarborScanResult. Currently, this just pulls from that version listed line 15 I mentioned earlier.

ToHarborScanResult has access to the ImageVulnerabilityReport struct, but that doesn't appear to have any metadata on the engine state.

Looking at the Engine API docs:

• Anchore Version: There's a /version endpoint that can return this.
• Anchore-Scanner-Adapter Version: The adapter already knows this.
• Grype Version: Unfortunately, I don't think the Anchore API can report this - but it is currently tied to the Anchore-engine version in Anchore-oss (not sure about Enterprise)
• Vulnerability Updated: /system/feeds returns this, and explicitly says "Return a list of feed and their groups along with update and record count information. This data reflects the state of the policy engine, not the upstream feed service itself." This is a lot of data, and not all apply to every image. While the IDEAL would be to include the relevant vuln feeds, that's hard to determine and could be quite a few. As a compromise, using the most recent date (or perhaps some other Anchore API) might make more sense.

So while it would be an additional API call or two to Anchore, these should be lightweight calls, the FeedGroup model already exists in the Anchore go library, and it would make the scan report Harbor has much more useful.