Skip to content

Commit

Permalink
update docs
Browse files Browse the repository at this point in the history 
- reflect latest changes
  • Loading branch information
@miraculixx
miraculixx committed Jun 11, 2024
1 parent f9ca0c4 commit a8ec61d
Show file tree
Hide file tree
Showing 10 changed files with 68 additions and 48 deletions.
102 changes: 61 additions & 41 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
bogrod
======

Manage vulnerabilities analysis (VEX/SBOM) in cyclonedx format like source code.
Manage vulnerabilities SBOM and VEX analysis like source code.

Why?
----
Expand Down Expand Up @@ -105,7 +105,7 @@ VEX analysis information.

$ syft jupyter/base-notebook:ubuntu-20.04 --file releasenotes/sbom/jupyter-base-notebook.syft.json --output json

2. Find VEX information
2. Find detailed information for each vulnerability

# we output two grype reports
# -- this first report includes detailed VEX information
Expand All @@ -118,8 +118,8 @@ VEX analysis information.
# -- bogrod automatically uses the .grype report to provide additional information for each vulnerability
$ bogrod --work -S releasenotes/sbom/jupyter-base-notebook.cdx.json --vex-file releasenotes/sbom/vex.yaml --update-vex --merge-vex

Note that bogrod will automatically find the .vex and .grype files corresponding to the .cdx file,
if these are not specified.
Note that bogrod will automatically find the related .vex, .cdx, .grype files, if named according to
the conventions described above.

Working with vulnerabilities
----------------------------
Expand All @@ -132,22 +132,58 @@ so that you can filter, select and analyze each one in turn.

![bogrod demo](resources/demo1.png)

Press Enter to show the details of the vulnerability
* Press Enter to show the details of the vulnerability.
* Press V to show the vulnerability in its related NVD or CVE web page.
* Save analysis and quit by pressing `Ctrl-C` or `Q`.

![bogrod demo](resources/demo2.png)

Save analysis and quit by pressing Ctrl-C or Q
* Filter the list of vulnerabilites by the various quick criteria on the left by selecting
one of the listed values. Press `F` and use the `tab` key to cycle through the options.
* Use the `/` key to enter a search term. Search terms are of the form `<column>:<value>`
where *column* is one of the columns in the table and *value* is the value to search for.

![bogrod demo](resources/demo3.jpg)
![bogrod demo](resources/demo3.png)

* Edit multiple vulnerabilities at marking related entries using ctrl+space.
* Then select any one of the marked entries to enter your analysis and press
`Ctrl+S` to save. All marked entries will be updated with the same analysis.

![bogrod demo](resources/demo4.png)

* Select or edit (`enter`) any vulnerability and press `V` to open the respective CVE
or NVD page in your browser. This allows for a very smooth workflow because you don't
have to copy/paste the CVE-# to your browser.

![bogrod demo](resources/demo5.png)

* While editing a vulnerability, store the analysis as a template by pressing `Ctrl+T`.
This will store the analysis as a template for the component or artifact.
* Apply a template by pressing `T` and selecting the template to apply.
* For every component analyzed, bogrod automatically creates a template by the name
of the component, making it easy to apply the same analysis to related vulnerabilities.

![bogrod demo](resources/demo6.png)

* Uploading vulnerabilities to a vulnerabilities management platform, such as [elementaris
by Essentx](https://github.com/essentxag/elementaris-docu), is straight forward.

$ bogrod --upload elementaris releasenotes/sbom/jupyter-base-notebook.cdx.json

* The service automatically returns a report based on its own analysis. In case of
issues found, the affected vulnerabilities will be marked by including a `*` postfix
to its state
* Press enter to show the details of the vulnerability and the report from the service.

![bogrod demo](resources/demo7.png)

Working with multiple images
----------------------------

Sometimes we may have the artefacts built from the same source image and thus
find similar vulnerabilities. It would be a waste of time to keep analysing the
same vulnerability multiple times. Therefore, we can combine bogrod's vex information
(a yaml file) for multiple images, while bogrod keeps track of where each
same vulnerability multiple times. Therefore, we can combine vex information
stored by bogrod (a yaml file) for multiple images. bogrod keeps track of where each
vulnerabillity came from.

To simplify this process, create a .bogrod file that references each image's
Expand Down Expand Up @@ -181,7 +217,7 @@ Vulnerability Exploit information (VEX)
---------------------------------------

Bogrod can extract vulnerability exploit information from
the release notes or from a vex.yaml file (--vex-file)::
the vex.yaml file (--vex-file)::

# vex.yaml
CVE-2022-999999:
Expand Down Expand Up @@ -320,30 +356,12 @@ or more vulnerabilities are in state in_triage or exploitable, the pipeline will

bogrod --fail-on-issues releasenotes/sbom/jupyter-base-notebook.cdx.json

Release Notes Format
--------------------

[deprecated] This feature will be removed in a future version, in favor of templated reporting options.

The release notes format is simply a YAML file with a security section:

# notes.yaml
# security:
# - <CVE#> severity status [comment]
security:
- CVE-2022-999999 high open will fix in next release
- CVE-2022-999989 high fixed will fix in next release

This is a superset of the release notes format used by reno, the release notes tools.


Pipeline with grype and reno
----------------------------

1. reno => create release notes
1. syft => scan image and create sbom
2. grype => scan image and create sbom
3. bogrod => update release notes with vulns found in sbom
4. reno report => build release notes

Tools
-----
Expand Down Expand Up @@ -373,20 +391,22 @@ Specification
* browser https://cyclonedx.org/docs/1.4/json/
* jsonschema https://github.com/CycloneDX/specification/releases

Commercial Support
------------------

Commercial training and support for use of bogrod is available from productaize.
Please contact us at info at productaize.io for more information.

What's in a name?
-----------------

I was looking for the name of a trusted secret keeper of sorts. A fan of Harry Potter's
I found some character from Gringotts Wizarding Bank would be a great fit.

*Wikipedia* has this to say about Bogrod:
I was looking for the name of a trusted secret keeper of sorts. An early fan of Harry Potter's
I found some character from Gringotts Wizarding Bank would be a great fit. *Wikipedia* has this to say about Bogrod:
*Bogrod, a goblin, is one of the counter staff (what would be tellers in a Muggle bank) at Gringotts Wizarding Bank in
Diagon Alley.*

<a title="Eliedion, CC BY-SA 4.0 &lt;https://creativecommons.org/licenses/by-sa/4.0&gt;, via Wikimedia Commons" href="https://commons.wikimedia.org/wiki/File:Audio-animatronic_of_Harry_Potter_and_the_Escape_from_Gringotts.JPG"><img width="64" alt="Audio-animatronic of Harry Potter and the Escape from Gringotts" src="https://upload.wikimedia.org/wikipedia/commons/thumb/7/7b/Audio-animatronic_of_Harry_Potter_and_the_Escape_from_Gringotts.JPG/64px-Audio-animatronic_of_Harry_Potter_and_the_Escape_from_Gringotts.JPG"></a>
Bogrod, a goblin, is one of the counter staff (what would be tellers in a Muggle bank) at Gringotts Wizarding Bank in
Diagon Alley.
Credits:

Source: https://en.wikibooks.org/wiki/Muggles%27_Guide_to_Harry_Potter/Characters/Bogrod
Image by: Eliedion, CC BY-SA
4.0 https://commons.wikimedia.org/wiki/File:Audio-animatronic_of_Harry_Potter_and_the_Escape_from_Gringotts.JPG"><img
width="64" alt="Audio-animatronic of Harry Potter and the Escape from Gringotts"
src="https://upload.wikimedia.org/wikipedia/commons/thumb/7/7b/Audio-animatronic_of_Harry_Potter_and_the_Escape_from_Gringotts.JPG/64px-Audio-animatronic_of_Harry_Potter_and_the_Escape_from_Gringotts.JPG
* Wikipedia: https://en.wikibooks.org/wiki/Muggles%27_Guide_to_Harry_Potter/Characters/Bogrod
* Image by: Eliedion, CC BY-SA
4.0 https://commons.wikimedia.org/wiki/File:Audio-animatronic_of_Harry_Potter_and_the_Escape_from_Gringotts.JPG">
Binary file modified resources/demo1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified resources/demo2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed resources/demo3.jpg
View file
Binary file not shown.
Binary file added resources/demo3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added resources/demo4.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added resources/demo5.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added resources/demo6.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added resources/demo7.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
14 changes: 7 additions & 7 deletions resources/process.drawio
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<mxfile host="app.diagrams.net" modified="2024-04-23T13:45:36.949Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" etag="cUUxL0Ab2P3MnJ5Kmjwk" version="24.2.3" type="device">
<mxfile host="app.diagrams.net" modified="2024-06-11T15:56:08.522Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" etag="XlOiZQbNRaNtZZbEgB6w" version="24.5.2" type="device">
<diagram id="LGDP_pIZAGlwTwSJ4sjn" name="Page-1">
<mxGraphModel dx="1434" dy="852" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
<root>
Expand Down Expand Up @@ -113,7 +113,7 @@
<mxCell id="PBNwTgLJ96jfDFWDJ1od-2" value="managed in git" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" parent="1" vertex="1">
<mxGeometry x="89" y="296" width="160" height="30" as="geometry" />
</mxCell>
<mxCell id="DSnCgecDXklZruMILzA5-1" value="" style="edgeStyle=orthogonalEdgeStyle;elbow=vertical;endArrow=classic;html=1;rounded=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="r2mrjyQ1Vl0hvuekhCWr-25" target="DSnCgecDXklZruMILzA5-2">
<mxCell id="DSnCgecDXklZruMILzA5-1" value="" style="edgeStyle=orthogonalEdgeStyle;elbow=vertical;endArrow=classic;html=1;rounded=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" parent="1" source="r2mrjyQ1Vl0hvuekhCWr-25" target="DSnCgecDXklZruMILzA5-2" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="510" y="165" as="sourcePoint" />
<mxPoint x="730" y="215" as="targetPoint" />
Expand All @@ -123,19 +123,19 @@
</Array>
</mxGeometry>
</mxCell>
<mxCell id="DSnCgecDXklZruMILzA5-2" value="VEX ISSUES" style="shape=document;whiteSpace=wrap;html=1;boundedLbl=1;size=0.25;" vertex="1" parent="1">
<mxCell id="DSnCgecDXklZruMILzA5-2" value="VEX ISSUES" style="shape=document;whiteSpace=wrap;html=1;boundedLbl=1;size=0.25;" parent="1" vertex="1">
<mxGeometry x="650" y="215" width="90" height="40" as="geometry" />
</mxCell>
<mxCell id="DSnCgecDXklZruMILzA5-7" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="DSnCgecDXklZruMILzA5-4" target="r2mrjyQ1Vl0hvuekhCWr-20">
<mxCell id="DSnCgecDXklZruMILzA5-7" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="DSnCgecDXklZruMILzA5-4" target="r2mrjyQ1Vl0hvuekhCWr-20" edge="1">
<mxGeometry relative="1" as="geometry" />
</mxCell>
<mxCell id="DSnCgecDXklZruMILzA5-4" value="VEX ISSUES" style="shape=document;whiteSpace=wrap;html=1;boundedLbl=1;dashed=1;" vertex="1" parent="1">
<mxCell id="DSnCgecDXklZruMILzA5-4" value="VEX ISSUES" style="shape=document;whiteSpace=wrap;html=1;boundedLbl=1;dashed=1;" parent="1" vertex="1">
<mxGeometry x="270" y="265" width="90" height="40" as="geometry" />
</mxCell>
<mxCell id="DSnCgecDXklZruMILzA5-8" value="2" style="shape=ellipse;perimeter=ellipsePerimeter;fontSize=22;fontStyle=1;shadow=0;strokeColor=#ffffff;fillColor=#F2931E;strokeWidth=4;fontColor=#ffffff;align=center;spacingTop=-4;" vertex="1" parent="1">
<mxCell id="DSnCgecDXklZruMILzA5-8" value="2" style="shape=ellipse;perimeter=ellipsePerimeter;fontSize=22;fontStyle=1;shadow=0;strokeColor=#ffffff;fillColor=#F2931E;strokeWidth=4;fontColor=#ffffff;align=center;spacingTop=-4;" parent="1" vertex="1">
<mxGeometry x="670" y="335" width="50" height="50" as="geometry" />
</mxCell>
<mxCell id="DSnCgecDXklZruMILzA5-6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="DSnCgecDXklZruMILzA5-2" target="DSnCgecDXklZruMILzA5-8">
<mxCell id="DSnCgecDXklZruMILzA5-6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" parent="1" source="DSnCgecDXklZruMILzA5-2" target="DSnCgecDXklZruMILzA5-8" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="695" y="275" as="targetPoint" />
</mxGeometry>
Expand Down

0 comments on commit a8ec61d

Please sign in to comment.